Four Ways the CISO is Going to Have to Evolve in 2022

The pandemic has changed how businesses operate — dramatically accelerating remote working, incentivising digital sales processes, and ultimately placing far greater importance on network connectivity and digital flexibility.

These changes bring significant business opportunities, but they also generate cyber security risks. There has been a 400% rise in cyber-attacks during this same period, and 95% of CISOs predict that the situation will get worse before it gets better.

Luckily, it isn’t all bad news on the job front. While a need for fast remote access has proven undeniably challenging, this shift has also brought with it some glass-half-full benefits, highlighting the importance of cyber security for both commercial outcomes and business-critical processes. By rethinking how the CISO operates, it’s possible to capitalise on (rather than crack in the face of) these changes. 

Fundamentally, this year has painted a picture in which the CISO of the future needs to be a far more integrated part of business. By stepping up, CISOs can become indispensable in ways they haven’t been until now. Here, we’re going to explore that shift and consider how you can evolve to feel those benefits in 2022 and beyond. 

Suggested reading: For practical guidance on how to be a more business-focused CISO, check out our free resource — The Board Presentation Toolkit: Cyber Security and Threat Management.  

1. It’s time to get accountable

According to a recent GISS survey, just 36% of organisations previously onboarded CISOs at the planning phase of a new product or service. However, for the vast majority, security, and more specifically CISOs, have been an afterthought, making accountability a challenge to say the least.

This is an issue that the largely technical-focus of the CISO has facilitated, but that’s changing. In fact, according to Gartner, CISOs stand to transform digital risk management “by proactively assessing risk appetite and the value of the desired business outcome.” In other words, CISOs need to start accounting for businesses on the whole rather than siloing their services, a point that’s only highlighted by the Gartner prediction that 30% of a CISO’s effectiveness will be directly measured on their ability to create business value by 2023. 

Making the change work for you

In reality, this change is at the heart of everything the CISO needs to do in 2022. To a large extent, the solution revolves around how your business perceives cyber security, and how you relate to the business at large. It’s important to adopt a business-level mindset, and think strategically about how cyber security can deliver commercial benefits. Consider ways in which: 

• Cyber security creates opportunities to improve customer relationships.
• Cyber security can expand service or product offerings. 
• Cyber security reduces financial risk. 
• Cyber security can create cost savings within your organisation.
• Cyber security operations can be made more efficient — driving wider cost savings.

Fundamentally, cyber security has the potential to drive significant commercial outcomes by enabling your business to adopt innovative strategies without exposing yourself to risk. Cyber security leadership should be defined by your ability to communicate the value of effective cyber security investments. Adopting an outcome-orientated perspective is critical to gaining the necessary buy-in from your organisation, and that starts with changing your own mindset regarding the value of cyber. 

Suggested reading: How to Effectively Explain the Value of Successful Cyber Security. 

2. The building blocks of business alliances

In the past, CISOs have worked closely with CEOs and board members, often solely focusing on security. This can lead to obvious disconnects between the assets you’re attempting to protect and the protections themselves, a disconnect which won’t serve any longer.

Of course, appealing to the people up top is still fundamental. But there is more than one way to gain the support you need. Namely, many CISOs are realising that alliances within otherwise unchecked areas will not only provide much-needed advocates, but will also help with the outcome-based focus discussed above. According to the same GISS study:

• 26% of CISOs report mutual or high trust relationships with marketing teams.
• 36% of CISOs say the same of relationships within research and development. 

With that in mind, there really is no time like the present.

Making the change work for you

The idea of making friends across a business can seem like it will take you away from the day job, but making friends needn’t mean making compromises, especially if you work with strategic partners to take some of the load off/expand your knowledge store. When you tie the ally narrative into those more goal-focused priorities, a friend-focus can dramatically enhance rather than detract from overall security solutions. 

Think about direct ways that cyber security will benefit your marketing, finance or legal teams, and explain to those business leaders how what you want to do will improve their goals as well. For example, security investments might be critical to a new customer data collection strategy, a remote working policy, or creating of a customer facing app. If done right, this can help orientate your entire business around cyber security, building more robust outcomes and gaining the support you need to drive effective investment and commercial growth. 

Suggested reading: Five Cyber Security Questions Any CISO Should Be Able to Answer in 2021. 

3. Becoming an agent of change

The two issues already discussed point to one thing — the need for CISOs to become agents of change, rather than tech-locked outsiders. There’s certainly no room left for security to be treated as a technology-only issue. By altering the language and perception surrounding what cyber security can do, CISOs are almost guaranteed to see the change that they want to be in the workforce.

Making the change work for you

At its heart, becoming an agent of change is about altering not only your priorities/methods but also the language used to describe them. Instead of focusing on tech-based info that nobody understands, an agent of change should adopt business-level and risk-based language that any board member can get behind. Consider questions like: 

• Am I more secure today than yesterday?
• What is the greatest threat to everyday functioning?
• What can solving security issues deliver? 
• What budget could help to effectively manage that risk?

Pro tip: Our board presentation toolkit has some fantastic advice on how to do all of this, and frame cyber security investments in business-level language. 

4. Doing more with less

As well as increased risk, the majority of businesses are working with reduced budgets — likely part of what’s driving the increased measurement of CISO success based on creating business value. This leads to something of a predicament — CISOs need to do more than ever, yet it’s fundamental that they do so for less. 

Making the change work for you

Driving efficiencies is one place where strategic partnerships can deliver a lot of value. With more advanced cyber threats on the horizon, developing sophisticated cyber security solutions requires increasingly niche and specific skill sets within your cyber team. The problem is that these skills aren’t needed all the time, and cyber security skills shortages make them hard to access at all. 

Managed service providers can deliver access to skills on-demand, letting you only pay for the skills you need, when you need them. For example, detection and response units (which are an increasingly important capability to have) require far less personnel to monitor systems than respond to an incident. A managed detection and response (MDR) service is more cost-effective than building and maintaining those capabilities in-house. 

Fundamentally, 2022 requires flexible and effective cyber security solutions. As CISO, it’s your job to find creative ways to deliver results while ensuring that you are also creating effective business outcomes that drive the bottom line. Efficiency, itself, is a business outcome. But always look for ways that partner efficiency with broader change and capitalisation on commercial opportunities.  

Accessing the right skills and focusing on commercial priorities

Changes are afoot for the CISO of the future, with forward-thinking, business focus, and enhanced collaboration all set to become musts rather than maybes.

Unfortunately, up to 51% of employers find it challenging to fill generalised security roles. No CISO is an island, and making sure that you have access to the right skills is critical to executing the types of solutions necessary to succeed. Again, managed service providers are an invaluable tool for accessing skills on demand. 

Fundamentally, however, the central goal for 2022 should be an increased focus on the commercial benefits of cyber security. Luckily, making the connection between cyber security investment and business value isn’t hard — but it does need to be your focus. If the CISO doesn’t champion the value of cyber, it’s likely to remain in the shadows, only coming under scrutiny when something goes wrong. Outlining the commercial benefits of cyber investment is how you gain the support needed to build better and more effective solutions. It’s also how you transform yourself as CISO. Good luck, get planning, and have a cyber-safe 2022.