By Manoj Bhatt, Head of Security and Networks at Telstra Purple
The impact of Covid-19 is something that is going to be felt in the business community for years yet to come. A huge number of things have changed in different industries, as business has adapted first to the pandemic and then to the new workspaces that have both evolved as a result. This change will persist long after Covid-19 has gone. Distributed workflows have become the norm, first driven by the necessity of remote working, and then maintained by the desire for more flexible working on behalf of employees.
A PwC report at the start of 2021 found that 79% of employees want the flexibility to manage family matters alongside work. With many employees eager to keep up remote working practices as a result, the CISO’s role has changed dramatically. The need to create a unified digital workplace has become a key objective, but the attack surfaces have expanded significantly. CISOs have therefore had to implement secure remote-work strategies in a wide range of dynamically shifting conditions, all while accounting for the needs of business objectives, customer requirements, employee engagement, and productivity.
It is a delicate balancing act and one that is seeing the CISO take a more prominent role in many companies. We recognise the importance of the interaction of people and technology. We created ClubCISO to better support CISOs working in public and private sector organisations; and help them shape the future of their profession. ClubCISO asked its members about the skills they need for their jobs. While over half of them say that business knowledge and clear communication skills are vital components of the modern CISO skillset, only 25% and 33% respectively say they have them.
This is something that is going to have to change as the CISO becomes more central — and more visible — to the success of ongoing business operations. Interestingly, while the percentage of CISOs who report into IT has grown slightly within company cultures — 53% in 2020 rising to 57% in 2021 — the number who think they ought to be reporting at board level has risen dramatically. Thirty-five percent of CISOs thought they ought to be reporting into the main board in 2020. In 2021 that figure has risen to 63%.
Partly this is due to the change in the external threat profile. 71% of IT professionals have said they have seen an increase in security threats since the coronavirus outbreak started, and more than a third of organisations worldwide have experienced a ransomware attack or breach.
Some of these have been extremely high profile. The now infamous Kaseya supply chain attack affected an estimated 2000 businesses worldwide from schools to supermarkets, while attacks on Colonial Pipeline and JBS Meat Packing in the US saw the White House issuing a memo urging business leaders to take action.
While still underrepresented at board level, all this has at least raised the CISO’s profile within workplace cultures. Eighty-three percent say their organisation believes they add value — which makes you wonder quite hard about what’s happening in the other 17% of workplaces — while 61% say their security cultures are improving or exemplify best practice as a result. Sixty-eight percent say their organisations have a positive security culture.
Both the last two figures represent a significant ongoing improvement and there have also been encouraging reductions in blame cultures around security incidents. Most heartening is the improvement in the perception of security as an ongoing value-adding business function, rather than simply being a reactive process that happens after a breach has occurred.
Given the potential reputational damages of a well-publicised breach, as well as the financial implications as data protection legislation is tightened around the world, this change in perception makes sense, and raises the CISOs profile at board level. This, in turn, enables them to make a more convincing business case for ongoing investment into security applications and processes – to work towards that progressive security culture in the business.
It also gives them leverage in promoting a positive security culture in the new digital workspaces. This has been one of the great achievements of the CISO community as a whole during the course of the pandemic. The number of CISOs that can agree with a statement regarding a positive security culture within their companies has risen from 45% in 2020 to 68% in 2021 (and the number disagreeing has dropped from 22% to 6%). And 61% of CISOs say, hand on heart, they are making progress on delivering a good security culture.
This importance of this endeavor cannot be understated. The CISO’s heightened role in promoting a positive security culture, and the significance of putting the right culture in place to enable employees to understand/report problems, is vital for the health of the new distributed digital workspaces, and better security outcomes for the business.