Resistance to the functioning of the cyber security team due to its restrictive policies that interfere with business enablement can spell doomsday for cyber security team leaders. Biju Unni at Cloud Box Technologies advises on a more peer to peer approach, which aligns with business, enabling both sides to move forward.
Company boards and the executive management are struggling to manage the balance between the necessity to grow, invest in innovation, protect from cyber security threats, and manage risk and compliance. technology budgets that are meant to drive business results and business robustness are increasingly requiring a nod and approval from business heads for alignment and enablement.
Today’s cyber security leaders who are entrusted to protect the enterprise from threat actors and maintain the risk and compliance profile of the enterprise cannot execute and function in isolation. Increasingly their ability to deliver is being gauged by the success and enablement of business heads. With shareholders increasingly accepting the need to transform and business heads accepting the opportunities that lie ahead, the role of cyber security leaders is both to protect and enable the enterprise, through its digital transformation journey.
Today, the priorities for cyber security leaders are to support the changes being driven by digital transformation; align business and security objectives; improve the relationship of the cyber security team with rest of the enterprise, both horizontally and vertically; retire and revamp obsolete processes that restrict users without added protection; look at solutions to automate like robotic process automation; among others.
However, the climate for cyber security leaders to function is becoming challenging. Gartner points out how the balance of sentiment is changing inside the enterprise.
Gartner research shows that 58% of boards of directors expect to increase their risk appetite in between 2024 and 2025, and 58% see digital technology initiatives among their top five business priorities for the next two years.
However, stakeholder’s confidence in the ability of cybersecurity leaders to support these initiatives as a trusted partner is not assured. Gartner research shows that 47% of CIOs see cybersecurity risk mitigation processes as a hindrance to digital execution.
Cyber security leaders are already struggling to keep up with existing technology and risk challenges. Finding the capacity to deliver higher volumes, at a faster pace, with greater flexibility for business, without more people or resources, looks impossible in the current conditions. Unless cyber security leaders and their teams relook at fundamentals.
Here are some recommendations to make headway in this direction.
Changing rules of the game
Digital transformation and the evolving macro-economic environment are setting the pace and expectations for enterprise business leaders. Cyber security decision makers need to follow the lead taken by their business counter parts and adapt their strategies to support and facilitate their success.
The underlying expectations from business that cyber security leaders need to support, also enabled by the various adopted digital platform include flexibility, autonomy, modularity and self-service, among others.
Internal blocks
It is important to identity the biggest internal blocks that are hindering the passage of implementation for modern security policies. For example, identify the biggest critics of the cyber security team at the executive management level. List their entire expectations and work towards meeting those expectations or aligning with those expectations as a priority, wherever practical.
This will help to increase the support for the cyber security team’s performance at the executive level. It will also demonstrate to other business leaders of the cyber security team’s commitment to make progress and support business leaders and their functions.
Cyber security leaders must be seen as helping to trade off restrictive control measures in favour of business enablement, without creating additional risks or compromising on compliance and guidance. Cyber security leaders must be able to work with their business counterparts towards enablement of business rather than being viewed as control managers.
Programme champions
Identify motivated employees across the enterprises who can support and further communicate selected facets of the company’s security policies to the rest of the enterprise. They become advocates and ambassadors who can communicate the need and benefits of those specific aspects of the security policy to the rest of the enterprise.
While responsibility for security technology implementation does rest with the IT security team, evangelisation and championing the need for cyber security can be leveraged from outside the security department.
Challenge assumptions
The fast pace of change in technology lifecycles, adoption of new technology solutions, and changing business environment, also creates the risk of having a significant number of processes and operations, which are mainstream, but may have become redundant or obsolete.
The necessity of keeping the light on every day, creates a momentum of co-existence with such redundant and obsolete processes, which is a drag on resources and hinderance to improvement in efficiency.
By giving members of the security team, the flexibility to question previous assumptions and suggest changes, through scheduled meeting, without fear of punitive consequences, can help to keep process improvement a side by side feature running in parallel.
This also helps to spotlight and highlight innovative talent, boosts initiative across the team, and helps to keep motivation levels at the highest.
Watch on wastage
Blocking access and having rigid controls for business users, creates negative consequences inside the enterprise for the cyber security team. As the importance of business decision makers increases through their growing size of revenue contribution to the overall enterprise sales, or through strategic support centres, negative sentiments toward cyber security practices can slow down their functioning.
Any technology team that is unable to function at its optimum speed to produce change and delivery will soon start realising erosion in its spending budgets and management support.
To avoid such cyclic consequences, cyber security decision makers must continuously review hinderances and blocks that may affect business functioning and business enablement, without reducing risk or creating an opportunity for threat actors.
The net benefits of reducing such unnecessary controls is improving positive sentiments towards cyber security functions as well positive benefits of freeing up and redeployment of skilled resources to alternative areas.
Empowering to scale
As the scale of digital transformation begins to sprawl for an enterprise, from on-premises to edge to cloud to remote work, it is safe to say that the cyber security team will never have complete visibility or complete control of its enterprise. It is therefore important to build the capability of cyber judgment across the extended enterprise, where cyber security teams do not necessarily have full visibility.
This means empowering qualified business heads to make high quality judgments that are in the best interest of the enterprise, using independent sources of information that may not necessarily and immediately be available to cyber security team members.
By doing so, cyber security team leaders will be viewed as accelerating the scale of digital transformation, building trust across the extended enterprise, and reducing the resistance to the functioning of the cyber security team.
Key takeaways
- Gartner research shows that 58% of boards of directors expect to increase their risk appetite in between 2024 and 2025.
- The ability of cyber security leaders to deliver is being gauged by the success and enablement of business heads.
- Stakeholder’s confidence in the ability of cybersecurity leaders to support these initiatives as a trusted partner is not assured.
- Gartner research shows that 47% of CIOs see cybersecurity risk mitigation processes as a hindrance to digital execution.
- It is important to identity the biggest internal blocks that are hindering the passage of implementation for modern security policies.
- Cyber security leaders must be seen as helping to trade off restrictive control measures in favour of business enablement
- The necessity of keeping the light on every day, creates a momentum of co-existence with redundant and obsolete processes.
- Blocking access and having rigid controls for business users, creates negative consequences inside the enterprise for the cyber security team.
- As the scale of digital transformation begins to sprawl, it is safe to say that the cyber security team will never have complete control of its enterprise.
Click below to share this article
