History has not been kind to anyone trying to fight battles on two fronts at once. Yet that’s the unenviable task facing today’s Chief Information Security Officers (CISOs): there is a clear need to keep up with rising customer expectations in the digital revolution – as well as managing cybersecurity.
A recent report from analyst firm Forrester shows how, for these Generals of cybersecurity, the old front (the one we all know about) is about stopping cyber-attacks from happening - the data and network breaches that cost enterprises an estimated $600 billion USD a year.
The new battleground sounds almost antagonistically opposite: how do you prevent information security from ensnaring your own troops’ agility to move quickly and win the digital transformation initiative?
As things stand, when security and business goals diverge, security hardly ever wins. However, the two perspectives are nevertheless vital for today’s CISOs in the struggle to build trust with all stakeholders.
The old world of “batten down the hatches” is no longer acceptable to C-Suite executives, who also demand the ability to open up to collaboration within global ecosystems.
A dangerous disconnect in trust
We are seeing this tension really come to the fore in data privacy. It is no longer a question of “if” a business will be attacked in some way, but “when” and “how”.
The Breach Live Index, which tracks publicly-disclosed breaches, shows that nearly 15Bn data records have been stolen since 2013. Any breach means high costs – in terms of post-attack responses, as well as damage to the brand, reputation, and stock value, not to mention possible fines for regulatory compliance violations.
This isn’t some sort of industry secret. The risk of data breaches is increasingly obvious to consumers, who are rapidly losing trust in major organizations to keep their information and transactions safe.
The fact that a recent Fujitsu survey found that some 72% of CxOs and decision-makers are also worried their personal data may be exploited by organizations without permission, tells us this has gone well beyond a consumer-scare story.
At a time when using data to drive top-line revenue has never been better understood, there is clearly a dangerous disconnect between what organizations want to achieve and what their primary stakeholders - their customers – are prepared to let them do.
Building a trusted future
The ability to build a trusted future - where security and openness are in balance – is at the heart of what we do here at Fujitsu. As well as advising enterprises about their cybersecurity, we also provide a range of managed security services that our customers have to be able to trust. If we can’t meet their requirements, we may lose the business.
Fujitsu’s approach to intelligence-led security can help with advice, monitoring services, infrastructure services and more.
This approach involves not just technology but an organization-wide recognition of security’s importance to the company’s success. It’s all about gaining an enterprise view, a big-picture vision of security that produces a more nimble, resilient and customer-focused business.
Achieving balance in cybersecurity requires aligning strong security principles to enterprise goals. We are closely aligned with Forrester here, which advocates security leaders take what it calls “an enterprise risk management view” and put security and privacy concerns front and center in the lifecycle of service and product development.
The Forrester CISO Strategic Canvas guides CISOs on building a risk management framework to reconcile this diverging set of interests, treading the thin line between improving resilience while supporting openness to customers and partners.
Can you put a value on trust?
CISOs are aware of their reputation for slowing things down, as security is often regarded in their organization as a cost of doing business - a drag on innovation - and the function is not generally seen as an enabler.
Brian Hintze, director of cybersecurity at Fujitsu Network Communications, says:
I have been fortunate to have really good support at the executive level because our regional CISO here at Fujitsu does an outstanding job of building relationships with our business leaders. We have moved beyond using Fear, Uncertainty and Doubt (FUD) and matured into using the language of business.
When I bring a project forward, I want to be able to demonstrate why it’s needed, what risks we’re trying to avoid and how I’m helping the business to connect to customers and store their data in a way that they will feel is secure. That certainly resonates with our leaders, as it enables additional opportunities with key customers
Calculating Return on Security Investment (ROSI), which we are all hearing about a lot at present, is another matter.
There are certainly some models out there, but they are challenging because they come down to an educated guess — what’s the percentage risk that you are going to have a security breach? Being able to defend such numbers in front of a business leader is always tough.
Forrester’s advice here is that CISOs should include success metrics to prove their security programs are allowing executives and board members to innovate and deliver projects faster with lower costs. This approach will correlate with how much support and funding you can expect to get for security investments.
It also encourages board-level recognition of the value of a security strategy in terms of financial impact – through cost control and revenue growth - customer trust impact and internal culture impact. Ultimately, this is how to gain the attention and support of your board and business lines.
