When safety enables efficiency
By Mark Großer
Chief Information Officer (CIO), Chief Technology Officer (CTO), or Chief Digitalization Officer (CDO), even CTIO: these titles have long been in common use in digital companies. And let’s not forget the role of the Chief Information Security Officer. A plea.
The significance of the CISO role for the core business is growing more and more as digitization progresses and security and data protection requirements increase. And rightly so! CISOs contribute directly to the digital efficiency and thus the success of their organization. Their perception and the way they are treated are often still different. But: The image is changing and evolves.
CISOs take responsibility for appropriately protecting information and technologies along the value chains. They contribute to minimizing risks for business operations, risks of non-compliance with regulations, laws and market standards and - last but not least - risks to the company's image.
Risk orientation: Tough on the business model
To this end, they develop strategies and measures across all levels of the organization that fit the business model, degree of vulnerability and risk appetite to achieve and maintain an adequate level of protection. However, the CISO radius of action is expanding beyond the traditional disciplines of IT and security. As partners at eye level, CISOs are highly sensitive to the objectives of corporate management and weigh these against requirements, standards, and measures - and do so consistently in line with business policy.
If this is successful, CISOs are usually closely linked to the company management. It is often common practice to tie the CISO (ISO) function to the CIO or CFO. According to the logic of the three lines of defense, a CISO should report directly to the CEO and the board of directors - or at least be linked to these bodies via a "dottet line".
Risk management requires the ability to act
The CISO role creates business opportunities, as it is an essential part of the response to the risks and threats posed by progressive digitization. Cyberattacks and data breaches have increased exponentially in recent years. They are almost commonplace. Unfortunately, threat awareness and resilience have not developed in the same way. The challenge here is to build the appropriate bridge between business and risk.
The security strategy for an appropriate risk position requires proactive development work and an integrated approach across several areas and roles in the company. Unfortunately, the reality is mostly reactive action. There is a lack of defined risk scenarios for individual business areas and an integrated view of the overall risk position. For example, unclear reporting chains and responsibilities for ad hoc decisions and measures in the event of cyber incidents, or multiple recording of identical facts as individual risks instead of in a "network", e.g. a supply chain.
The risk position of the company comprises the "digital view": IT, information, cyber security, data protection, compliance, governance in agile projects and more. The assessment of the situation in an emergency should not be made dependent on lengthy and manual evaluations, comparisons and adjustments. Cloudification can help, but does not automatically improve processes and governance. The CISO function provides a remedy here through an appropriate, holistic security approach.
It is important to highlight the value contribution made by CISOs. A glance at the costs is not enough. The value of corporate security only becomes apparent when it matters: In a crisis, in the event of a data breach. The output "security" consists optimally of nothing happening. Not in a measurable "return on investment", but in securing value creation.
The experience from major incidents shows: Preventive investments in largely incident-free operation and image protection are worthwhile. Restoring both comes at a high cost to a company in a crisis. What incidents can cost and how the restart will affect the bottom line is well known. Good contingency planning should therefore be part of the risk and cyber strategy. However, this is difficult to convey from a cost perspective. The overall pricing of the risk position often does not yet match the traditional, cost-oriented understanding of IT and security. This is because the permanent, incident-independent contribution to the protection of corporate assets remains virtually invisible. Against the background of the frequency of cyber-attacks and the costs that a successful attack entails, however, the CISO value contribution is positively reflected in the balance sheet in the form of uninterrupted operation alone.
From enforcer to enabler
CISOs unite supposedly opposing worlds. They have a passion for technology and the protection of corporate assets, they understand the relevance of cyber threats to ICT and the value of data or information. They make it their business to be prepared for disruptions and crises and to avert interruptions to business operations. This strong focus on risk does not, however, cloud their view of the overall objective - the core business. The challenges they face are thus analogous to those of other C-Level managers. CISOs need to balance the many demands of the business with the need for corporate security - all against the background of achieving the best possible objectives and creating value.
The field of activity of tomorrow's CISOs can be divided into four areas:
- Security Implementation & Operations,
- Business Enablement and
- Resource Management.
At present, the CISO role all too often focuses almost exclusively on operational activities. As a result, CISOs often enjoy the reputation of being merely enforcers with strong security needs. In the event of a cyber-emergency, they are quickly in the spotlight; in normal operations they are less present. In the background, they drive digitization, cloudification and the agilization of operations. As a result, security and compliance are often seen in a gatekeeper role, making the path to dynamic business models, scaling, and cost effects difficult.
If, on the other hand, the weighting of the four areas is more evenly distributed, the operational safeguarding of corporate values becomes the basis for the creation of added value. CISOs become enablers whose technical expertise is not an end in itself, but the prerequisite for entrepreneurial success. This includes distinguishing oneself as a CISO from "related" functions. CTO vs. CIO.
Finding the right balance
To strike the right balance between security needs and business awareness, CISOs must ask themselves the following questions, among others:
- Do-nothing-comparison: How great is the risk for the company if no control and security measures are/will be established?
- Business Impact: What impact do such measures have on operational revenues and business models? What risk appetite do we decide on, what target level of "security" and protection matches the risk from our business model? (This does NOT mean: "How much security can we afford?")
- Customer impact: Could stricter measures lead to a loss of customers?
- Risk: What are the costs of non-compliance or cyber-incidents? How high are the risks, including the costs of non-compliance?
- Innovations: Does the company have to limit or even completely reject innovations or technologies for control mechanisms to take effect? Does a high level of security promote or slow down the provision of new technologies or innovation processes in the company? And to what extent?
- Acceptance: Could unpopular control measures be hindered in their implementation or be the cause for unsafe workarounds?
- Options: Are there alternative security concepts that cause less friction without restricting risk reduction measures?
- Make/Buy: What must and should remain inhouse? What security services do we obtain from outside - and from whom?
- Partner: With which partners do we partner in the daily Cyber War? What regulatory expectations do we have to meet where (internationally)?
Value contribution through risk adjustment
Loss of image, damage with loss of value chains and emergencies cause expenses that are prevented by the work of CISOs. But the value contribution of CISOs goes beyond this. Their work makes innovative business models possible in the first place. And they point out ways to manage scarce resources in a risk-oriented manner and thus make a contribution to cost savings in the medium and long term. In addition, the CISOs' groundwork gains value by identifying new business areas.
If CISOs are seen as enablers rather than enforcers, as partners and companions in business development, their work ideally confirms an easily overlooked truth: that well-managed cyber security programs do not compromise business goals, but rather contribute to them and make achieving them possible in the first place.