Orchestra of CXO’s in securing the enterprise

‘The art of war’, is governed by five constant factors, one of which is ‘Method and discipline’. In physical space, method and discipline are to be understood as the marshaling of the army in its proper subdivisions, the graduations of rank among the officers, the maintenance of roads by which supplies may reach the army, and the control of military expenditure. In the current environment of Cyber disruptions, it is the management commitment, prioritization, accountability, and allocations by CXO’s to ensure the favorable resourceful environment available for CISO’s to defend enterprise effectively.

Cyber Security is no longer a technology-specific activity nor the responsibility of a single central function to identify and mitigate known and unknown issues proactively or reactively. It is a collective responsibility of all stakeholders and users with clear accountability and roles to play in a continues manner.  

In a football game, it is not the sole responsibility of the goalkeeper to avoid goals to his post, rather it is also responsibility and objective of each player to avoid ball reaching the goal post which is achieved by the role, strategy, and position of each player and team. If anyone of them misses on this role objective, overall the team loses.

This is the same scenario in an enterprise where such key roles are played by senior management (along with all other constituents) in ensuring enterprise resiliency on cyber security.

GC:  with the risk of supply chain vulnerabilities increasing, customers are mandating unlimited financial liabilities on security and privacy incidents, most of the time wordings of the contracts are vague with different possible interpretations based on individuals perspectives. The legal team, most of the time, is under pressure from the sales team to agree to clauses, for faster deal closure. If GC is not encouraging an environment for the team to enhance domain knowledge and collaborate with security, risk, privacy, and compliance to review and validate scope specifics and boundary conditions in contracts, blindfolded legal sign off will continue to happen. GC plays an active role in the layers of defense, in avoiding unwarranted liabilities by definite contract clauses, especially lock-in/lock-out avoidance through cloud contracts.

CRO: In an enterprise, CRO is the accountable person for the management of enterprise risks, which also includes technology and information risk. Although at a functional level it may be managed by CISO organization. 

Enterprises which depend heavily on technology, almost 60% of enterprise risk is related to information and technology. CRO plays a critical role in setting security risk appetites and in getting required support at executive management and at board level for the security program. For a CISO, CRO with his/her board/audit committee reporting connect is the one to call for intervention and support when directions from CISO are not getting addressed with the right sensitivity.

Internal Audit: very critical function based on its defined mandates and objectives in avoiding risks, but many a time people involved in audit have very limited understanding or appreciation to dynamically changing security landscape. Many audits and reviews are done for compliance purpose in the traditional way or to show supremacy without having a collective vision for improvement. To be effective, internal audit should collaborate and work with CISO to understand the context and bigger picture, ideally, two-way communication and collaboration required to be effective in identifying and mitigating security risks. Trusted collaboration between this teams could help in avoiding many security events and internal risks proactively.

CIO: Technology is going through rapid transformation with hybrid technology convergence and cloud adoption, the transformative leader CIO at times for the label of early adaptor and agile innovative leader tag, miss to understand security risks triggered by these disruptive changes or at times even discounts this concerns as transition risk, which are to be addressed in stable state (that state is too long to reach). And in some enterprise’s IT solutions along with bundled security controls as a single packaged ELA’s are forced to the security team, which may not be the right required controls.

When the tone from IT leader CIO not aligned with security or when too many changes are in place or overall state is in transition, incidents are on a high. Many of the reported incidents in the recent past is a reflection of this.

CIO as the most pivotal role in IT, his/her appreciation and consideration of security across the lifecycle of IT, defines one of the strongest foundations in its security posture maturity. CIO should be the strongest alley of the CISO in achieving the objective.

If the enterprise has prominent business IT which is not in direct scope of CIO, he/she should not force CISO to report to him/her since with that risk visibility to CISO will be limited to that of the scope of CIO only.

COO: without being sensitive to the changes in business, technology, and threat environment, many internal users continue to follow the same old easy norms, process and assumption which was adopted decades back, this need to be changed and is not easy from CISO’s perspective. COO should be sensitive and appreciative for strong operational security requirements and changes to avoid potential risks. His / Her tone and attitude towards security define the maturity of the security program to a great extent. 

CHRO: traditionally, policy adherence enforced with punitive controls for non-compliances, but in the current environment, punitive controls are not always enforceable. A practical approach is to create a participative culture for security where every individual will be part of the security program in reducing exposure and in defending. 

Most significant support, typically a CISO require from senior management, is the support for change management based on potential risk or threat evolving from time to time. Many a time, these changes are related to people practices or existing norms. CHROs sensitivity and approach towards security define success criteria of a CISO in this regard. Directions and approach from HR through their communications, actions, training play a significant role in the security program.

CFO: Appreciation that investment in security maturity is not a sunk cost but an investment for business enablement is a key foundation on which security program can be built.  Blessed to have such matured CFO in enterprise.

Agreeing to invest required fraction of revenue for security program rather than accepting huge (multifold) risk should be the tone of CFO, rather than avoiding investment and take probable chances of risk. 

In the cyber world, potential liability and impact due to security and privacy incidents are not predictable. Leading CFO’s collaborate with security organization in ensuring adequate support and lagging CFO’s spent huge amount of money to vendors and consultants post breach.

CEO: as business leader, CEO defines security culture and risk appetite of the organization. If he/she provides the commitment to security, the life of CISO will be much better; support should be visible and transparent. 

One of the biggest problems CISO face in any enterprise is VIP culture where senior people assume to have immunity towards all the internal security controls and practices (each of this so-called VIP’s are like weakness holes induced in your defense layer), the more such VIP’s in the network, it is more difficult to defend.

If CEO sets the right tone and priority for the security program and if he/she practices it, a significant hurdle crossed. Once the leader practices what he preaches, the rest of the crowd adheres and follows. 

All of these CXOs should be part of enterprise security steering committee, meeting at least monthly or quarterly to review the security posture / exposure and to clear hurdles for the required maturity.

The success of an enterprise security program is only when these key CXO’s are together as a team in achieving this shared objective – Cyber Resilience

Like Ganesh Viswanathan mentioned in this blog comment, It is like running an orchestra! Each one has to play an active and collaborative role for the symphony to succeed! Having the best technology alone will not save you for the day but it is conjunction with the synchronized team that does that! Otherwise you will hear only jarring noise security incidents) not music!