First a little history. CIOs in the 80s and early 90s were focused on the technical side of the job. They would tend to have a technical background, and their focus was keeping the IT machinery working. This caused a disconnect between the business and IT. I believe this disconnect was a root cause of the productivity paradox, i.e. the slowdown in productivity growth in the United States in the 1970s and 1980s despite rapid development in the field of IT over the same period. Since then CIO focus has shifted from how to keep the “machinery” running to how to use technology to benefit the business. This is not to say that aren’t some old school CIOs around, but the shift is clear and has been accelerated with the move towards business digitalization
I am seeing initial signs of the same shift in cyber security. Many digital security executives still tend to be very technical and focused on the mechanics (aka voodoo:) of digital security (TISO – Technical Information Security Officer). However many businesses are now calling on them to be more business oriented and to focus on managing security in a way that is more business oriented (BISO – Business Information Security Officer or the Forrester report on the Business Aligned Security Executive – BASE).
It is difficult if not impossible for security to actually generate revenue, but it can be used to effectively manage digital security risks, compliance and privacy – aka lowering cost and increasing compliance. As I wrote in previous posts, almost all new guidelines and standards are combining security, compliance and privacy into an outcome driven approach to digital security.
This will affect the role of the CISO in a number of ways:
- CISOs must shift from a focus on cybersecurity threats to a focus on business risk
- Most cybersecurity metrics lack business-risk context
- There needs to be a clear way to answer the questions “How secure are we today”, “Are we more secure today than yesterday” and “What is the plan to make us more secure tomorrow?”
- Clear, measurable and actionable security objectives need to guide digital security management and operations, not the other way around.
- There need to be clear way to measure the effectiveness and efficiency of cyber risk controls.
- There must be a holistic integrated view of organisational cyber risk, security, compliance and privacy management and operations.
- Cybersecurity cannot only be measured on activity and failure – it needs to be proactively managed as a strategic business risk.
Orchestra’s Harmony platform and its executable policy approach focuses on exactly those needs. We are looking for additional design partners for our platform until the end of 2020 – so any organisation interested please contact us.