Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:30 AM
Connect Directly

What's At Risk When CISOs Say 'No'

Employee satisfaction and hundreds of billions in revenue when CISOs don't look for creative ways to secure innovative change.

Security leaders have long heard from pundits and their own executives that they've got to stop infosec organizations from being the departments of 'No' if they want to maintain relevance in today's innovation economy. However, many of the business arguments for rapid adoption of game-changing technology and methods have been made with too many platitudes and vague assertions and not enough statistical evidence. The fast and loose nature of some claims have given risk-averse CISOs enough ammunition to wantonly act as organizational speedbumps in the path of innovation.

But a pair of studies out this week offer up some real numbers and empirical backing to the reasons why CISOs with a stubborn streak need to rethink how they're helping their organizations manage risk. The numbers offered by these reports provide more proof than just gut feelings pointing to how innovation drives top-line revenue growth, bottom line efficiency, retention of key employees and everything in between -- and they're worth a look by all lsecurity pros who default to 'no.'

First up was a study by Adobe that offers some long-awaited statistical evidence for claims that technology afforded by BYOD, pro-sumer SaaS services and the like can impact employee satisfaction and retention efforts. Called "Work In Progress," the survey polled over 1,000 U.S. workers to examine attitudes about working conditions and technology that impact career decisions. Most relevant to this discussion is the finding that 81% of those questioned say state-of-the-art technology is important at work, outranking food and beverage, office design and on-site amenities. In other words, forget the free candy wall -- these workers want their tablets loaded and ready to use the apps they need to get through the day as efficiently as possible.

According to 85% of those polled, technology makes them more productive; employees who say that their company is "ahead of the curve" love their work twice as much and feel about twice as creative, motivated and valued compared to those who rate their companies as being "behind the times." The problem is that only one in four U.S. workers think that their company is ahead of the curve. And while the study didn't look for the link you can bet that for at least a plurality of those behind-the-times security issues have something to do with the lag.

Meanwhile, at the same time as this study was released, another one from Cisco took a look at the money left on the table when organizations in the financial market fail to quickly adopt disruptive technology. The study calculated the digital Value at Stake (VaS) for retail banks from 2015 to 2017, potentially available to capture through investments in disruptive technology like analytics, mobility, video and virtualized delivery models.  

According to Cisco, that number is a whopping $405.3 billion. Unfortunately, last year only about 29% of that opportunity was captured.

“Too many banks are moving slowly or not at all. By waiting to digitize their businesses, or by delaying new technology initiatives, banks risk not only missing out on the potential dollar VaS but are actually at risk for being put out of business altogether," says Jason Bettinger, director of financial services for Cisco’s business transformation group.

A big part of that slowdown can be laid at the feet of cybersecurity programs unable to move quickly. Cited in this week's report is a study of over 1,000 senior finance and line of business executives, 71% of whom said that cybersecurity risks and threats hinder digital innovation at their organizations. Six in ten said their organizations are reluctant to innovate in areas like digital products and services due to perceived risks, with delays occurring in digital initiatives around omnichannel capabilities, wealth management and asset transfers, mobile banking and mobile payment capabilities, self-service and virtualized delivery models.

Related content:



Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
5/27/2016 | 1:03:54 PM
Useful Advice to CISOs
This article offers an excellent commentary on how CISOs can certainly be a barrier to innovation; however, in my past experiences as a CISO I often found that the CISO and security organization was not involved in the project early enough.  So, when the CISO discovered the project was "a-foot" or the CISO was finally invited to participate in the project deployment, it was often too late.  Hence, the CISO was simply doing their job identifying security flaws and vulnerabilities that should be fixed BEFORE deploying the technology.

Hence, the CISO is viewed as the "NO" person when really the project flow did not include security early enough in the project.

One other approach the CISO and security organization should offer is one of "...we won't stop the project but we want to offer ideas and ways to make the project more secure..."  Hence, this philosophy is less of a threat to the project manager and more of a positive contributor.

Again, thanks for the article and the examples from Adobe, etc.   

Ernie Hayden CISSP CEH GICSP(Gold) PSP
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...