Once upon a time, the Swedish banks ran an operation where the only way to serve customers were through branches. Customers got their loans and their cash in the branch. To improve access to cash—ATMs were delivered, and in the late 1990s, the first internet services were launched. Ten years later, Apple released the iPhone, and the mobile era took off, and the situation today is totally different – banking customers now choose when, where, and how they want to fulfil their financial needs, on mobile devices, and in real-time. This is obviously having a huge impact on the financial industry, but it also has an impact on security. In the past, security was about physical protection of staff and cash.
"The opportunity to discuss business values has improved the last couple of years, which helps in initiating discussions about business value"
IT-security initially had the same positioning—to protect, but this is changing; protection together with detect and respond is still key, but security is starting to be seen as a business enabler - to deliver business value. This ties well into the changing role as a CISO. I am in my fourth year as a CISO at Handelsbanken, a bank with its roots in Sweden, and now define six countries as home markets. The expectations on me as a CISO have changed a lot since I took on this role. Initially, it was about overseeing and implementing a cybersecurity program, an understanding of the key security solutions and the go to person to handle a cyber crisis. This is still the case, but soon there was an expectancy to provide senior management with the current cyber risk exposure, threat intelligence should be embraced and now it is about becoming a business enabler.
So How to Become a Business Enabler?
First of all, there are no short-cuts - if you are in a sector where cybersecurity is prioritized, you need a security organization working in a structured way, and you need an active Threat Intelligence (TI) function to understand what you are up against. How this is organized, that is, in-house, outsourced, or a hybrid, is up to you.
With this as a foundation, let us turn to become a business enabler.
My recommended starting point is to ensure that your high-level security goals are aligned and contribute to the corporate goals. The key challenge is to find the correct language, the words that appeal to upper management. One good example when delivering digital services is to talk about trust. This is probably the key value that all efforts in a security organization are aiming for - your customers need to have trust in your digital solutions.
Spend some time with this - iterate your security goals and map to business values, meet the teams working with business development and to get inspiration, read your company’s annual report—what is your CEO talking about?
The next step is to demystify cyber security for upper management. Nowadays senior management has good awareness about the potential consequence of a cyber-attack - it is all over the media, but what does it really mean for your company? What parts of your company is in scope, do you have a lot of outsourced solutions and external partner, what are the critical functions etc.
I am personally fond of the NIST Cybersecurity framework. I usually find that the Identify, Protect, Detect, Respond and Recover capabilities are easy to understand and grasp by upper management. But there are obviously a lot of other ways of putting cyber security in the context of your company, describing it in a pedagogic way. So now you have the values and increased awareness of cybersecurity - then it is about how to deliver.
The choice largely depends on where in the organization the security function sits and on corporate culture. One strategic approach is security integration, that is, embedding security as an integrated component in the corporate business processes. The processes can differ a lot depending on the sector, but looking at the financial sector where banks are heavily digitalized there are some key processes to consider.
The obvious one is the development process - from idea to launch, usually agile in its set-up. There are loads of materials available to ensure that security is integrated in an agile world, and this is definitely contributing toward trust.
And there are a lot of other avenues to explore, the additional processes that contribute to the business values you defined earlier, and the traditional techniques such as life-cycle management and incident process through business/IT-strategy and enterprise architecture to human resource process. And it is also about meeting up with investor relations and communication department, putting security on their agenda.
The opportunity to discuss business values has improved the last couple of years, which helps in initiating discussions about business value. But I still think that we in the security community need to stretch ourselves a little bit more and leave our security jargon. This is one the key challenges for a CISO in the near future and I am confident that if a good balance between business needs and security in digital services can be found the company will not only be rewarded, it is a matter of survival.