Positioning Cyber Security as an Investment: The Modern CISO’s Skillset

Our latest research across CIOs, CTOs and CISOs shows an unsurprising uplift in security to become Australia’s #1 IT investment priority, in light of recent high-profile breaches

It’s no wonder that local companies are taking cyber security more seriously, considering that the Australian economy loses $3.5 billion yearly to cybercrime, and the average cost for a business to obtain solutions is over $276,000.

Regrettably, hackers are improving their skills and modifying attack methods to target different systems and technology. This means it is no longer an issue of whether a cyber attack will occur but when.

In addition, the use of cloud services is expanding, which highlights cyber security’s significance. According to an ADAPT study, 55% of workloads will be housed on public cloud platforms by 2024.

Although cloud services have many advantages, if they are not adequately secured, they pose some threats. Organisations must therefore implement the necessary security measures to shield themselves and their stakeholders from cyber attacks.

Security investment and digitisation covers vulnerabilities from manual work

Manual processes in security operations can often lead to errors, inefficiencies, and blind spots that can compromise an organisation’s security.

For example, manually reviewing security logs or investigating security incidents can take a long time and may need to be more thorough to detect all potential threats.

According to ADAPT’s study, 70% of digital leaders agree that legacy systems and processes are the top inhibitor for technology initiatives.

Legacy technologies are a significant obstacle to maintaining digital initiatives as they often need more security features and capabilities to keep pace with modern security solutions.

Legacy technologies may also be more challenging to maintain and update, making it difficult to implement a cohesive security approach across the organisation.

To overcome these limitations, firms must embrace digitisation to automate and streamline security processes.

Automating operations reduces the risk of human error and allows personnel to focus on more crucial tasks, such as threat hunting and incident response.

Digitisation can also enable better visibility into the organisation’s security posture and facilitate real-time threat detection and response.

However, digitisation requires a change in mindset and practices. Many organisations still rely on outdated technologies and manual processes, hindering their ability to keep pace with the evolving threat landscape.

To overcome this, organisations must work collaboratively across business units, including technologists and other key stakeholders, to adopt a security-focused mindset and prioritise digitisation efforts.

Products of digitisation like statistical analysis and visualisation tools can be used to drive data-driven security decisions.

These tools can help identify trends and anomalies in security data, such as network traffic or user behaviour, and enable proactive risk mitigation strategies.

CISOs as the organisation’s advocates for cyber security

ADAPT’s research reveals the top priority for Australian CISOs over the next 12 months is building a secure and trusted organisation. This is also the highest priority for Australian CIOs and infrastructure leaders.

However, less than 50% of CISOs actively communicate security updates to executive leadership and the Board, and only half communicate with employees about their role in combatting threats.

CISOs are faced with the tough task of articulating the state of cyber security and explaining how to safeguard business value. This action helps them gain buy-in and funding from executive leadership teams and boards.

It is a best practice that CISOs use common business language instead of technical language to communicate the value of cyber security to other executives.

Best practices for CISOs to protect brand reputation and organisational assets

The job of a security leader involves stakeholder management, including presenting to C-level executives and the Board to position cyber security as an investment and secure funding.

The risk is that the board may see cyber security as a one-time investment. The modern security leader must have business and soft skills to position cyber security as a smart investment, experiment, and test to learn.

They should understand the Board’s risk appetite and the four layers of cyber security perspectives:

• Cyber controls
• Regulatory compliance
• Commercial approaches
• Ethical risk

A capable CISO will highlight the business value of security investment. Good practice also requires aligning and prioritising security initiatives according to the organisation’s vision and mission.

Additionally, CISOs can develop a common language to relate security investments to the needs of other executives.

It is also crucial that CISOs raise awareness and ensure employees understand their role in maintaining organisational security. This can be done by developing security awareness programs that fit employees’ needs, experiences, and interests.

Identifying change champions in business teams who understand the need for change and can effectively advocate the organisation’s security agenda within their team is also important.

The long road to cyber security