The landmark Sarbanes-Oxley Act of 2002 (SOX) was passed during a highly tumultuous era, overhauling corporate governance and bringing financial expertise to the boardroom. Fast-forward to present day, and uncertainty is again the prevailing economic theme; more than 70% of organizations have experienced ransomware attacks in the past year, and 64% admit they cannot stop a supply chain-related attack. As they did 20 years ago, regulators are calling for sweeping change: this time for increased cyber disclosures by public companies, and specifically, greater cybersecurity aptitude at the corporate director level. Once again, boards are poised for a shakeup, one that legal experts say will bring more CISOs to the table.
As their strategic role expands, many CISOs around the world are “having a moment,” bolstered by growing top-level support and additional resources to advance their cybersecurity missions. But making the most of this moment — and making it last — will come down to focus across four key areas.
1. Focus on data
While four out of five organizations increased their cybersecurity budgets in 2022, no security leader has enough resources to tackle everything on their to-do list at once. Risk quantification is a continued challenge: a Harvard Business Review Analytic Services survey sponsored by PwC found that less than half (45%) of executives “strongly agreed” that they had a formalized process to evaluate cyber risks in line with business priorities. The survey shows a small but growing number of CISOs are turning to frameworks such as the open-source FAIR (Factor Analysis of Information Risk) methodology, analyzing causal relationships in high-risk scenarios or deploying actuarial models to get a more accurate financial estimate of the threats their companies face. Since these risk models are only as strong as the data that feed them, security tools that can enhance intelligence gathering, broaden visibility and deepen contextual insights are critical for communicating risk in business terms and optimizing cybersecurity spending.
2. Focus on impact
While threats and business priorities change, identity’s integral role in the cyber attack chain does not. The latest Identity Defined Security Alliance (IDSA) research indicates 79% of organizations have experienced an identity-related breach within the last two years, and 93% believe they could have prevented or minimized security breaches if they had implemented specific identity-related security outcomes. Any identity — human or machine — located anywhere across business applications, distributed workforces, hybrid cloud workloads or throughout the DevOps lifecycle can be compromised and open an attack path to an organization’s most valuable assets. With this understanding comes focus: more than half of CISOs and CIOs have introduced (or plan to introduce) Identity Security measures to better manage sensitive access, including real-time monitoring and analysis to audit all privileged session activity, enforcing least privilege security and Zero Trust principles on infrastructure that runs business-critical applications and implementing processes to isolate business-critical applications from internet-connected devices to restrict lateral movement.
3. Focus on business enablement
CISOs can play a powerful strategic role in driving high-stakes digital initiatives forward. What’s key is inserting themselves into these projects from the beginning — to educate IT and line-of-business owners on security and privacy risks and establish consistent, Zero Trust-centric processes such as securing user access to the very applications that fuel transformation initiatives. Doing so can also help CISOs stay in alignment with key stakeholders and better balance investments between digital initiatives and critical security protections to avoid cybersecurity debt accumulation that can hamstring progress.
4. Focus on user experience
When end users can’t navigate the security process or must contend with too many different security tools, they often find workarounds, make poor password choices or take other actions that can lead to identity-based vulnerabilities attackers can exploit. Eighty-six percent of senior security leaders say user experience (UX) optimization is “important” or “very important,” and many are wisely focused on incorporating controls that work to secure access — regardless of device or location and at just the right time — while keeping users productive and informed. AI, machine learning and automation can help make Identity Security processes more effective and more user friendly over time by mapping behavior patterns and contextual signals and continuously optimizing controls based on these learnings and dynamic risks.
The Power of Focus
In a 2021 global survey of CISOs, recruiting firm Heidrick & Struggles found that nearly half of CISOs want to be board members — something that seems increasingly achievable and essential to building organizational cyber resilience. By maintaining a focused approach across these four areas, CISOs can demonstrate their strategic capabilities, strengthen the boardroom and confidently defend against attacks as they take their hard-earned and long-overdue seat at the table.