How Has Digitalization Changed the Role of the CISO?

nnGauravnSingh, CISSP, CCSP, shares his views on how the rapid accelerationnand adoption of digitalization is reshaping the role of a CISO.nn

nDigital transformation is everywhere, whether it’s disrupting your financendepartment, supply chain, human resources, procurement or customernrelationship management (CRM), the list is enormous. Every enterprise andnits departments have either already completed a significant digitalntransformation, are currently working on one, or plans to go on such anjourney soon.n

nThis digitalization of business processes and operations and its underlyingntechnology, application, and infrastructure has made the job of a ChiefnInformation Security Officer (CISO) more complex and challenging. It hasnrequired many CISOs to pivot in their approach to security to ensure thendigital ecosystems of their organizations remain secured and protected fromnbad actors and constant cyber threats.n

nScope: No Longer About Just Protecting the Systems Within the Firewalln

nCritical systems are no longer within firewalls, and enterprises rely morenon third party suppliers and cloud/SaaS-based systems to support theirncritical business processes. This digitalization of a company’s assets andnlandscape has made the role of a CISO very complicated.n

nDigitalization across departments in an organization has changed andnexpanded the scope of work for many CISOs. It’s no longer just securing thennetwork perimeter and traditional information security tasks. With digitalntransformation and more cloud and SaaS applications in play, the scope nownincludes working with third parties/vendors/suppliers to ensure duendiligence/due care and organizational policies are being followed as well.n

Complexity: Increased Threat Landscape

nIf data regulations across the world (GDPR, etc.) and other regulations thatnalso cross into IT and security like Sarbanes-Oxley, PCI-DSS) and HIPAA werennot enough, the increased complexity of infrastructure and systems arenadding to the complexity of the threat landscape and forcing all departmentsnto enforce operational policies with greater vigor.n

nThis increasing complexity with every digital transformation step is notnmaking the job of a CISO any easier. First, the business focus and prioritynare rarely security, but rather usability and functionality of thenapplication, and with every new application being implemented, thencomplexity of the landscape is increasing, so the work of CISO and team isngetting more difficult to both implement and secure buy-in for.n

Collaboration: It’s All About Teamwork

nToday, digital organizations need CISOs to not just focusing on technologynbut also on collaborative development of business processes, to ensurensecurity to the core that considers the people and technology around them.nCollaboration with enterprise risk management at this point becomes morencritical as well.n

nWe talked about digitalization across the organization, and how it’s morencritical than ever for CISOs to collaborate with business leaders and othernstakeholders. Forming cross-functional teams across critical functions likensupply chain and finance is essential. The CISO role needs a seat in anynorganization-related advisory board and is a key stakeholder including butnnot limited to cybersecurity for supply chain risk or even enterprise risknmanagement. The working silos among cyber and business teams need to benbroken and the CISO along with other leaders have the bulk of thenresponsibility now to make it happen.n

AI: Here to Stay, and Challenging a CISO’s World

nIf the current threat landscape and complexity are not enough, with thenadvent of AI, especially generative AI like ChatGPT and Bard is creatingnanother type of threat to organizations. These generative AIs are seen morenas foes than friends by most CISOs, but AI is here to stay and more and morenbusiness users and leaders are looking to leverage them. CISOs need tonaccept the new generative AI world and work closely with stakeholders tonapprove and allow its use within clear boundaries and limits defined in annorganization’s acceptable use policy. Generative AI can also benefit thencyber team, and hence, CISOs need to investigate security use too,nsupporting the security team and their ability to respond.n

Compliance with Regulations Worldwide: Think Local

nA growing number of countries are developing local regulations, asking forncompliance around any system/application/infrastructure that processes thendata of their citizens and supports the operations of that country/region.nThe digitalization of business operations in each region is also sometimesndependent on this local compliance, resulting in different regional andnlocal vendor onboarding, creating another challenge for CISO. Even withnlimited teams and support across regions, the CISO needs to make sure thenorganization not only remains protected and keeps PII data safe, but alsonneeds to comply with these varying local regulations as well.n

Users: Train Your Weakest Link

nBusiness users want the latest SaaS-based applications that make their livesneasier and help them perform business functions more efficiently. Whethernit’s the use of robotics process automation (RPA) or the often challengingnbring your own device (BYOD), working remotely, or even the use ofngenerative AI, the average user is not concerned about security, threats andnattacks (ransomware, phishing, etc.). This makes the CISOs job morendifficult to execute and maintain. The CISO and their team need to focusnmore on security awareness and training users on cybersecurity trends,nissues and various threats, as different research and attacks have provednthat humans are the weakest link in all digital transformations. Morenopen/cloud/SaaS-based technologies and the increased threat landscape thatncomes with them makes keeping users cyber aware more important than ever.n

nCyber Resiliency: Make Your Business-Critical Systems Resilientn

nWith the digitalization of applications and landscape, it’s more critical tonhave cyber resilience than ever. It is never possible and not cost-effectivento build resiliency into all the applications an organization has; hence,nCISOs must work with businesses to identify critical business functionsnalong with critical systems/applications/infrastructure and target those fornredundancy and resiliency so that core and critical business functions canncontinue in case of cyber incidents or disaster. Cloud technologies havenhelped this greatly from an infrastructure and use of automationnperspective. Still, the shared responsibility model and reliance on thirdnparties have made it challenging to manage.n

Continuous Monitoring: It’s All About Controls

nKnowing your critical assets and having controls defined around them tonensure due diligence and due care are being maintained, along withncontinuously monitoring to identify any issues, incidents or fraud is alsoncritical. With digital transformation projects and complex systems andnlandscapes, automating continuous control monitoring would be recommended,nbut it may not be as easy as it sounds.n

nFinally, building a cyber mindset across the organization is more criticalnthan ever. The responsibility probably rests more with the CISO and theirnteam than anyone else in the organization. Though the CISO would neednsupport from other executive leaders, the CISO and their team must buildnrelationships with stakeholders, including but not limited to enterprisenrisk management, internal and external audit, legal, HR, etc. so that anyndigitalization happening in the organization includes security by design andnis both successful and protected as well, making it a win-win for thenorganization and the cyber team.n

nnGauravnSingh, CISSP, CCSP, is a cybersecurity leader currently working atnUnder Armour. He has over 18+ years of experience in IT security,nspecializing in ERP, cloud security, and GRC, protecting and leadingnenterprise digital transformation from a cyber perspective.nn

]]>