CISOs can marry security and business success

With an endless string of cyber fires to be put out, it’s easy to forget that the cybersecurity function in an organization doesn’t exist in a vacuum. Its main purpose is to ensure the organization succeeds, and that’s the reason CISOs get the budget to build that function in the first place: they need to minimize and contain risks to enable the business to thrive.

CISOs should also look at the business strategy and where the business intends to go and find ways to turn cybersecurity into a competitive advantage.

When it comes to implementing security, there is a tendency to think only about security for security’s sake, or compliance because the business needs to meet it. We forget that the reason why these compliance requirements were instituted: external evidence of internal cybersecurity posture.

Therefore, the key question for the CISO to answer is: “How can I shift my security organization from a ‘prohibit and control’ perspective to being perceived as a leader in security, so that potential customers will choose us instead of others?”

A common language on business goals

While businesses aim for different outcomes, one goal that the business typically prescribes for cybersecurity is business continuity.

This is probably due to most executives viewing cybersecurity only as an operational necessity. At the same time, they fail to see cybersecurity’s essential contribution to the due diligence aspect of the procurement process.

The complexity and length of procurement processes have increased over the years, as prospective clients use this as part of their third-party risk management. Executives that are aware of clients’ needs can use them to improve the cybersecurity of the organization and its offerings, by translating them into features that will raise the offering’s competitive advantage.

Traditionally, R&D and innovation teams perceive the CISO’s role as an obstacle to innovation and advancement. Conventional security entities frequently resort to phrases like “this can’t be done due to security protocols,” obstructing changes to existing infrastructure and impeding innovation. If security is confined to an IT concern rather than recognized as a business imperative, CISOs struggle to emerge as strategic partners.

Transforming the organizational mindset to recognize cybersecurity as a fundamental business function is imperative.

To create the right security outcomes, CISOs must consider the strategic goals the business wants to achieve, as well as the associated risks. Without this synchronization, security endeavors might not significantly contribute to the business’s triumphs, which can be any (or all) of the following:

• Customer trust and reputation: A strong cybersecurity posture helps build customer trust. While third-party organizations cannot promise 100% security, if they show that they have a process for continuous improvement that can be externally validated, customers know they are partnering with someone who cares about keeping their data secure and private.
• Compliance and regulation: Organizations in the industrial equipment industry with a digital component to their technology should address whether this technology has externally validated security certification versus the competition. Organizations in sectors that need to prove compliance to specific cybersecurity regulations (e.g., financial institutions and the DORA regulation) will be looking for compliant partners. Customers are more likely to trust an organization that demonstrates a proactive approach to compliance, giving the company an edge over competitors who merely meet the minimum requirements.
• Business continuity: Strong cybersecurity protocols guarantee that a company can maintain its operations despite cyber threats. Continuous service become a notable competitive advantage, particularly in industries where downtime directly translates to financial losses.
• Sustainable innovation: If security is part of the development lifecycle, R&D can concentrate on developing cutting-edge products and services. Moreover, when security concerns are addressed from the very beginning of new projects, future costly redesigns can be prevented. A secure product or service then becomes a marketable asset.
• Agility and risk management: An organization with a strong cybersecurity posture demonstrates increased agility in responding to evolving threats. Swift adaptation and a proactive approach to risk management serve as preventive measures against significant breaches, fostering stability and sustainability and bolstering customer trust, even during a cyber crisis.
• Cost efficiency: Breaches can be very costly to an unprepared organization. Cybersecurity can be expensive when starting, but once it becomes business-as-usual, it becomes all about risk management and continuous improvements.

One size doesn’t fit all

Many providers can be perceived as equally capable, and the cybersecurity angle is often what influences CISOs when choosing which vendor to work with.

When I do evaluations of potential providers who have similar offerings – for example, if HR wants to bring in a new vetting provider or if Finance brings in a new external payroll provider – I’m evaluating how they handle the cybersecurity and privacy in their organizations and reviewing the relevant supporting evidence they can provide.

If I am evaluating the shortlisted third-party organizations by delivering sensitive data to them and one of them is demonstrably working harder at raising their cybersecurity posture, my recommendation for purchase becomes very clear. By the same token, if a third-party organization raises cybersecurity red flags, they naturally lose the advantage.

For many organizations just starting out, cybersecurity may not be something they consider investing in because they have other “more important” things to attend to. This is a mistake – being small and agile and building your offerings as secure-by-design, from the ground up, could be a major selling point.