The article I wrote about the hybridisation of business leader, IT leader and cyber security leader was first published in SC Magazine in May 2017. I not sure much has changed. Are security leaders stuck in the past or has the evolution started?
What if the CISO’s of today become candidates for the COO or CEO tomorrow?
Digitisation is business’s biggest opportunity, but it’s also its biggest risk. This dichotomy creates a challenging proposition for security strategists on the verge of a significant evolution in security thinking. To succeed in the increasingly digitised business environment against a constantly changing and often sophisticated threat, security professionals will need to create a detailed level of visibility and contextual understanding as to how the whole business works, that will surpass anything that we see provided today by any other function.
The potential next evolutionary step for security is exciting. If security professionals seize the opportunity, they may just become the digital change agents and true business partners they have always aspired to be.
Digital situation awareness
Technology has an increasingly important role to play as a driver to help business achieve lower cost and/or competitive differentiation. However, the result of our increasingly digitised environments in the era of the “Internet of Things” is also an increase of the surface area against which a cybercriminal may attempt to steal or destroy our company information and/or assets.
Therefore, we need to do two things: firstly, we need to create a profound understanding of our business eco sytsems, i.e. the interplay between people, process and technology inside the organisation, and how they interact with those outside the organisation. Secondly, we need to create a detailed level of visibility of our end to end information value chains that traverse these ecosystems. This holistic and detailed level of digital visibility is becoming more achievable with the newer “next generation” type technologies. We can start to refer to the output of these two things as digital situation awareness.
Digital situation awareness enables security professionals to more quickly and more effectively focus security effort and spend. Interestingly, digital situation awareness also provides security professionals with a unique insight into the very business process they set out to protect. This enables the security professional to potentially engage in more productive conversations with both the business owner and IT about optimisation and value creation. While value creation of business process has never really been within the remit of the security professional, digital situation awareness, and security professionals as stewards of digital situation awareness, may potentially cause a shift in the traditional paradigm toward a greater level of partnership and convergence of strategic direction.
To succeed in this new role, security professionals must first succeed in meeting two challenges.
Challenge one: ‘Seeing the wood from the trees’
Once dominated by five big vendors the security market has now changed. There are now multiple approaches and almost a different type of technology for every facet of security. Further, in Q4 2015, a Forbes article stated that “several new hundred-million dollars plus cyber security investment funds have been announced by VC firms during 2015”. While this trend encourages market competition and innovation, it adds unnecessary complexity for the security professional. Being able to decipher which mix of technologies is right is difficult. This often results in excessive layers of overlapping technologies, underutilised capabilities and overly complex IT environments.
The next generation security professional must return to business basics to be successful. Their technology mixes will also be driven by trying to achieve digital situation awareness.
Challenge two: Standing tall
Security has always been perceived as an insurance policy and security professionals have done little to change that. However, spectacular breaches over the last few years means boards now have no choice but to listen. If security professionals want to change their future, we need inspirational leaders with vision, who can think strategically, not just about security but about opportunities that the new digital landscape can afford the business. This does not easily equate to the traditional security leader.
Next generation security leaders will not only create digital situation awareness they will know how to use it to exploit the full potential of digitisation.
Hybridisation of business leader, IT leader and cyber security leader may sound far fetched, but consider the rise of the Chief Knowledge Officer and its subsequent fall as those responsibilities were assumed by COOs and CEOs. As information management has become central to the competitive advantage of organisations, “information savvy” executive leadership has become central to success.
As stewards of digital situation awareness, security leaders may just find themselves accountable for both protecting the organisation but also driving business value.