As business increasingly takes place in digital spaces, companies' cybersecurity policies have unprecedented levels of impact on revenues. The relationship between business viability and cyber preparedness is strong enough that regulators are revisiting standards. The Securities and Exchange Commission (SEC) is in the process of implementing a range of cybersecurity disclosure policies for public companies, in a move that proves security policies are now material information.
In a related move, the SEC has also accused SolarWinds of misleading investors when the company suffered a data breach in 2020, going so far as to charge the company's CISO for fraud and internal control failures. While this development is certainly shocking, it is in line with trends whereby companies increasingly view their CISOs as business risk managers and keys to attracting customers – not just security gatekeepers.
Stan Black, CISO at privileged access management (PAM) firm Delinea, is vocal about the significance of this change. "Now our responsibilities cut across the entire business," he says. "We are tied to customer supply chain risk, so we are revenue enabling. We work together with legal to identify and manage risk. CISOs must understand the challenges and requirements of the customer and be an enabling partner to the entire go-to-market organization, partners, and the customers themselves."
Given these changes, here are three critical business functions that today's CISOs need to proactively oversee.
As we approach 2024, consumers are more security-aware than ever. As a result, companies today prioritize customer trust. While security frameworks were previously used for internal audit processes, today they're used as trust differentiators.
A company's approach to security thus plays a key role in attracting new revenue and retaining existing customers. CISOs must treat their companies' cyber GRC efforts as more than checking a few boxes. Ultimately, their GRC strategy will affect revenues.
Compliance badges are displayed as a way of demonstrating a company's commitment to security, in a bid to cultivate buyer trust. "Businesses across industries are consistently changing as well, in an effort to meet customer expectations, market trends, budget constraints, and employee well-being and satisfaction-related demands," asserts Arik Solomon, co-founder and CEO of Cypago, a cyber compliance automation platform.
"CISOs must regularly verify that the organization's cybersecurity program is aligned with all compliance and regulatory requirements derived from its business goals and objectives. These, of course, tend to evolve over time as well, with new regulations emerging to help protect organizations, their assets, and their customer base."
By automating security data collection and monitoring them constantly with tools like those offered by Cypago, CISOs can focus on broader organizational objectives and align security with them. The reduction in time spent monitoring individual security tasks alone helps CISOs create a more positive impact on their companies, something their CEOs and boards will certainly notice.
The SEC's moves are almost certain to be copied by financial regulators worldwide, given their historical track record. Security incidents are now material information, and CISO disclosures are in the spotlight. Their reports, or lack thereof, can influence company valuations and share prices.
Matt Rosenquist, CISO at data encryption service Eclipz.io, summarizes the situation poignantly. "When it comes to cybersecurity, if you have a ransomware attack and your internal systems are down, there's going to be a lot of employees and maybe even vendors, third party suppliers that know you're impacted," he says.
"Shareholders need to know so that they can make good investment decisions. It's about transparency when we're talking about reporting. Transparency feeds into accountability. If your shareholders start seeing you have a lot of breaches and you're not investing in cybersecurity, they may be abandoning your stock."
This view explains why more CISOs are now held accountable at the board level – not just among the c-suite. Today's CISOs need to oversee more than technical certifications. They must realize their position in the company's growth story and public perception.
Businesses face risks from several directions, and CISOs are often the executives in the best position to identify them.
"My advice would be to agree on a clearly defined program of work with the business as quickly as possible," says one CISO in tech recruitment firm Stott and May's recently published CISO Survival Guide. "You need to understand where the vulnerabilities are, actively review events as they happen on the network, and look at how you are managing incidents."
CISOs are now responsible for communicating best practices throughout their organizations and evangelizing them. Instead of doggedly enforcing rules, CISOs are connecting different parts of their organizations to secure practices.
For instance, third party data risks are a known weakness of enterprise security structures, an area that clearly falls under the CISO's purview. Today's CISOs are also tasked with promoting secure development practices, evaluating the cost of such infrastructure, and communicating it in engaging ways to the CEO.
In this sense, there's a growing need for continuous security validation, reinforcing demand for tools like Picus, which uses AI to simulate attacks and analyze vulnerabilities. To develop a dynamic security posture, CISOs are communicating the need for such investments in business terms, not just security ones.
Today's digital businesses face constant threats from a security perspective. To be effective, CISOs need to shed their security enforcer image and embrace the rest of the business. The modern CISO is a driver of business growth, with a pivotal role facing customers, investors, the c-suite and boards.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.