techUK sets out recommendations to help guide CISOs as organisations continue their digital transformation
The Role of the CISO in a Digitally Transformed Organisation highlights the complexities surrounding the role of the Chief Information Security Officer (the CISO). In this new report, we explore what the CISO should be focusing on in an era where every organisation is a technology organisation, as well as touching on the key attributes of a successful CISO – leadership, strategy, technical, and governance.
Our report makes seven recommendations to enable the CISO to ensure that cyber security is recognised as a business enabler, helping their organisation to deliver on its digitalisation journey. These recommendations are underpinned by examples and contributions from industry leaders, including Microsoft, IBM Security, BT Security and Corix Partners.
Recommendation 1: The CISO must help the Board to recognise cyber security as a business enabler, and a critical ingredient in helping the organisation to deliver on its digitalisation journey.
Recommendation 2: The CISO should look beyond the purely technical and focus on business risk management. The CISO must have, and embrace, wider business skills and knowledge to drive change across all business functions.
Recommendation 3: The CISO must be prepared for all types of crises: identify the principles that will guide you in decision-making – and test them.
Recommendation 4: The CISO should build a digital empathy system: use telemetry data from trends to understand how people are working in the system to improve experience and reduce risk.
Recommendation 5: Supercharge the human firewall: the CISO should sharpen security hygiene to encourage people to adopt digitally safe behaviours and be on their guard against cyber threats.
Recommendation 6: The CISO should build the case for investment in appropriate threat intelligence so that they are equipped to help their leadership teams understand the business problem in context and to support improved decision-making.
Recommendation 7: Diversity is a strength to be actively sought within the security team (and beyond). The CISO should help to hold their organisation to account on diversity and initiate conversations that provoke action to ensure a team that makes better decisions.
This report is the second in the wider techUK Cyber People Series, which set out to explore how people can be the strongest element of the UK’s cyber defences. The aim of these reports is not to be prescriptive, but to support organisations and stakeholders in making the right decisions, highlighting best practice across UK sectors, and sharing insight from industry leaders across a range of topics.
The first report, The CISO at the C-Suite, tackled the key question of how the Chief Information Security Officer role should engage at C-Suite and Board Level, leveraging influence to ensure cyber security is seen as an enabler of the rapid digital transformation that all organisations saw throughout 2020. Future reports in this important series will continue to examine the CISO function, including how to make informed buying decisions.
Dan Patefield, Head of Cyber and National Security at techUK said: “As cyber security underpins an increasing part of everything an organisation does, the role of the CISO function continues to evolve, enabling cyber resilient cultures to develop over time. It is critical for the CISO function to embrace wider skillsets beyond the technical, with an emphasis on commercial, communication and leadership. The key areas of focus outlined in this report, and the practical steps recommended, will guide organisations’ approach to this function as digital transformation continues apace. In doing so, we can ensure that cyber security is viewed as a true business enabler and create a strong foundation for that long-term cultural change to occur.”
Want to know more? Listen to our podcast where we explore the report's topics further with our three expert guests – Paul D'Cruz, Security Solutions Leader at Microsoft UK, Jean-Christophe Gaillard, Managing Director of Corix Partners and Martin Borrett, IBM Distinguished Engineer and Technical Director at IBM Security.