Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

From Defense to Offense: Giving CISOs Their Due

In today's unparalleled era of disruption, forward-thinking CISOs can become key to company transformation -- but this means resetting relationships with the board and C-suite.

After polling almost 1,300 organizations, EY found that only 36% of organizations take cybersecurity into account when planning new ventures. In its "Global Information Security Survey 2020," the firm reports that the uptick in activist attacks — which the report pegs as the second-most common source of significant or material breaches — illustrates why the cybersecurity needs to be part of every aspect of the business. CISOs who aren't frequently interacting with senior company leaders will likely be overshadowed, potentially resulting in the launch of new products or services that are vulnerable to cyber threats.  

Unfortunately, CISOs aren't there yet, and cybercrime increases by the day. According to EY, six in 10 organizations have weathered a significant cyber incident in the past 12 months, and 48% of boards suspect that cyberattacks and data breaches will affect their business in the coming year. About 21% of the attacks were traced to "hacktivists" — tech-savvy political and social activists — who are second only to organized crime (23%).

Related Content:

Security Leaders Share Tips for Boardroom Chats

Why Data Ethics Is a Growing CISO Priority

Boards Still Working in the Dark
Most boards understand that they need to pay closer attention to cybersecurity. This fact was underlined in the EY report, which indicates that 72% of boards see cyber-risk as "significant." Moreover, CEOs expect widespread corporate cyberattacks will pose the biggest threat to the global economy over the next decade.

But while boards acknowledge cyber-risk exists, just about half (52%) of respondents say that their board is fully up to speed on the nature of those risks. Further, 43% say their board doesn't fully appreciate the value and needs of the cybersecurity team. This should not startle anyone because in 60% of organizations the cybersecurity chief has no official board or executive management role, and only 54% of organizations make cybersecurity a regular item on the board agenda. A mere 32% of security leaders discuss strategic issues and drive change with the board.

This scenario needs to change — but how? A good start would be for CISOs to reconsider the way they communicate with their boards. For example, in the EY report, only a quarter of the respondents could put a dollar figure on the value of their cybersecurity spending in addressing critical business risks.

Cybersecurity Remains an Afterthought
Because activists are waging cyberattacks and digital transformation is now driving the business agenda, the cybersecurity department can't continue to play its traditional reactive role. It has to be on the offensive.

As mentioned earlier, only 36% of the EY respondents say their cybersecurity team plays a part in planning new business initiatives. Instead, the security team should be an integral member of the product planning team rather than being summoned later. EY calls this "Security by Design," where cybersecurity is a central consideration right from the get-go of any new project. If security protection is continually treated as a product retrofit, the result will be expensive, less-than-perfect solutions and clunky implementations. Today, when almost every organization is revising its products, services, operational processes, and organizational structures to align with the realities of digital business, treating cyber threats as an afterthought during product development is a nonstarter.

That said, organizations have a long way to go. The EY report shows they are spending on business as usual, not on new initiatives. In fact, some 17% of organizations spend 5% or less of their cybersecurity budget on new initiatives; 44% spend less than 15%. And while artificial intelligence — currently the best way to combat cyberattacks — is playing a bigger part in organizational decision-making, operations, and customer communications, only 5% cite an increased focus on artificial intelligence.

Agents of Transformation
CISOs are now in a position where they must — somehow — reinvent how they work and how they are perceived within their organizations. Historically, they have been the company's risk-averse first line of defense against cyberattacks, and have been viewed as such. But this state of affairs needs to evolve. 

"CISOs cannot afford to be seen as blockers of innovation; they must be problem-solvers," says Kris Lovejoy, EY Global Advisory Cybersecurity Leader, in EY's report. "The way we've organized cybersecurity is as a backward-looking function, when it is capable of being a forward-looking, value-added function. When cybersecurity speaks the language of business, it takes that critical first step of both hearing and being understood. It starts to demonstrate value because it can directly tie business drivers to what cybersecurity is doing to enable them, justifying its spend and effectiveness."

But do current CISOs have the right skills and experience to work in this new way and serve in a more proactive and forward-thinking role? That's an open question, and the answer will probably demand a new breed of CISO whose job is not driven mainly by threat abatement and compliance. In addition to technical skills, the new CISO will need commercial knowhow, solid communication skills, and the ability to work collaboratively.

Living up to this new job description will require the cybersecurity leader to adapt to new modes of working. It'll be disruptive in the short term, but worth it. It's an opportunity for cybersecurity to become an essential business partner at core of the organization's value chain, one that leads transformation and continually demonstrates its value.


Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Apprentice
9/1/2020 | 1:03:39 PM
The best defense is a good offense...Vince Lombardi
Good article Marc,

This statement says it all: "CISOs who aren't frequently interacting with senior company leaders will likely be overshadowed...

- IF a CISO is not regarded as a strategic leader, the struggle to add value to the company bottom line will be an uphill battle.

It is certainly incumbent on the CISO to continuously educate the board and senior leadership that Infosec is a facet of Risk Managment. When CISO activities are quantified in terms of risk avoidance and potential loss, the board will begin to understand. Regulation and compliance is driving companies to participate in cybersecurity more and more, some REQUIRING named senior cybersecurity leadership roles.

CISOs have got to be in the game to win.

Marc Wilczek
Marc Wilczek,
User Rank: Author
9/1/2020 | 2:00:43 PM
Re: The best defense is a good offense...Vince Lombardi
First of all, thanks Richard! Great to hear that you like the article.

I entirely agree with you as far as the your second statement goes. However, whether a CISO is regarded as a strategic leader has - in my opinion - more to do with attitude and behavior than a corporate title. That's also what I wanted to stress in my article concerning the need for CISOs to hone their problem solving skills and become more forward-looking.
User Rank: Apprentice
9/1/2020 | 4:02:02 PM
Re: The best defense is a good offense...Vince Lombardi
I see. 

I assumed anyone having forward-looking behaviours and problem solving skills would in fact be a strategic leader. 

A nuance, I suppose.

Watch for my response on LI.

User Rank: Apprentice
9/2/2020 | 6:45:24 AM
Re: The best defense is a good offense...Vince Lombardi
I must say that overall I am really impressed with this blog.It is easy to see that you are impassioned about you writing.
Marc Wilczek
Marc Wilczek,
User Rank: Author
9/2/2020 | 2:00:31 PM
Re: The best defense is a good offense...Vince Lombardi
Many thanks, that's great to hear! :-)
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.