Changing the mindset of the CISO: From enforcer to enabler
With digital transformation investments expected to reach a staggering $7.4 trillion before 2023, organizations realize that they must disrupt their markets or risk being disrupted themselves. However, with digital transformation comes a multitude of cybersecurity-related challenges to overcome, and it’s up to the CISO to help businesses navigate the associated risks.
CISO must aid the business
Security leaders can no longer adopt the role of enforcer, but rather need to pivot to a new role: the enabler. CISOs today have the opportunity to help enable the organization to grow by delivering a digital experience that delights customers while mitigating digital risk. This requires the CISO to advise the business about when and where cyber risks could manifest. Security leaders must now be able to transform their security practices in lockstep with all the other changes wrought by business-wide digital transformation.
Today’s CISO needs to be able to provide advice to the business to help it understand the risk landscape so that it can then make informed decisions about which risks are tolerable and which ones to avoid at all costs. In addition to providing this counsel, security leaders must be able to implement the technology to mitigate risks and protect the business as it continues on the path to digitally transform.
As part of this change in mindset, security leadership needs to take into account the impact of friction on the user experience as it can “break or make” security initiatives. The CISO must now focus on reducing unnecessary friction where appropriate in support of digital transformation objectives.
How to reduce security friction
As a rule, security friction increases or decreases proportionally to the severity of security restrictions put in place. The successful CISO must collaborate with the business and find a way to balance the appropriate controls for any given scenario in order to maximize protection and minimize security friction.
To achieve this balance, the CISO needs to home in on these seven variables:
1. How much is at risk if no controls are in place?
2. How could controls interrupt revenue streams?
3. Could the aggravation of the control cost the company many customers?
4. Must the business stop using or restrict innovative business processes or technology for the controls to work?
5. Will the level of friction from controls cause a revolt among users that could hamper implementation or induce unsafe workarounds?
6. How much will controls slow down technology delivery or innovation?
7. Are there any other alternative controls that could offer significantly less friction without compromising all of the risk reduction benefits?
By reviewing this checklist, CISOs will be able to advise the business of the different options available and, most critically, the path forward to mitigate risk and minimize friction. Security leaders need to outline the options available that will help reduce risk in the context of the business operating environment.
The successful CISO in the digital era needs to help the business understand all the different variables. To achieve this requires a mindset shift from that of an enforcer to that of a collaborative and flexible partner. Security teams need to recognize that they now provide a valuable service to the business in the quest to mitigate digital risk and minimize security friction.
Here are three examples of ways to achieve this balance in a digital-first world.
Payment processing
Online and mobile transactions are increasingly becoming the lifeblood of commerce for every type of organization, and digital transformation spurs this on further. While fraud protection is essential, transaction speed is tantamount.
Effective security teams are managing that through behavioral indicators that increase security measures based on risky behavior. That paired with compromised credential screening during authentication can generally keep friction low for the average transaction, while at the same time mitigating the risk of account takeover and the corresponding associated financial costs and impact on reputation.
Software supply chain
Software development teams increasingly depend upon third-party code and open source libraries to quickly develop software. This underpins the DevOps and Agile practices that fuel the rapid software delivery necessary for digital transformation. But third-party code also accelerates the introduction of new vulnerabilities into enterprise software.
Rather than banning the use of the transformative practice of leaning on third-party code, successful security teams are finding ways to track and manage the use of these tools while making it easier for developers to source them. Security leaders reduce friction here by tailoring the controls to the development process rather than making developers jump through multiple time-consuming security hoops.
Data sharing
Data sharing through cloud services and API connections between applications is crucial to digital transformation efforts. So many innovations today rest on complex digital ecosystems and integrations. The most impactful frictionless security efforts are those that smooth ease of access and integration. At the business user level, that means allowing the use of common platforms such as Box, while increasingly tying data access policies and visibility into data use to identities and roles. At the application level, it means designing security mechanisms and APIs that work seamlessly in an ecosystem and help facilitate data controls. The security tools must work without breaking integrations or degrading service levels.
Digital transformation is changing every aspect of how we operate, including the role of the CISO. The successful CISO in the 2020s and beyond needs to take a risk-based approach that consistently views security reasoning through the lens of user experience, business profitability, and viability.