Shoring up Fundamentals, Envisioning the Road Ahead in Cybersecurity
Few roles that have changed as much as that of the modern CISO. Today’s CISOs wear multiple caps and are multifaceted in their abilities, from being technically savvy, strong managers of people, and excellent communicators – whether with senior executives, cybersecurity partners, or their peers in the industry.
How has the role of the CISO evolved and how they can shore up their organisation’s cybersecurity fundamentals amidst a roiling, tumultuous threat landscape? Crucially, what does the road ahead look like?
We asked two cybersecurity leaders for their thoughts.
The modern CISO
“The role of a Chief Information Security Officer (CISO) has significantly evolved in recent years, transitioning from a technical focus to strategic leadership,” said Paul Lek, Executive Director, Business Information Security Officer (Japan, China and APAC), Singapore Tech Center, MSD.
The evolved CISO role requires a broader skillset and a more proactive approach to address rapidly changing cyber risks, he says. In his view, CISOs today play a key role in enabling the organisation to gain a competitive advantage in the market, as well as driving and fostering its cybersecurity culture.
And of course, the CISO is pivotal when it comes to quickly communicating the organisation's cybersecurity position to senior leaders so that they can make informed decisions, he says.
Dr Carrine Teoh, Vice President, ASEAN CIO Association (Cybersecurity & Governance Chapter), agrees with this characterisation of the CISO’s role. She said: “CISOs are the bridge that brings in the information about cybersecurity and the policies that are needed to the C-Suite and the board.”
“It is no longer about who is being attacked, or whether they will succeed in their attempts. You will get attacked, whether you know it or not. The question is how fast can your organisation recover from the attack?”
– Dr Carrine Teoh, Vice President, ASEAN CIO Association (Cybersecurity & Governance Chapter)
While it might seem that CISOs have been around forever, Dr Teoh observed that the role of the CISO was only popularised relatively recently. There is no disputing its importance though, particularly in the wake of a cyberattack.
“With digitalisation, businesses today are highly dependent on digital systems. When a cyber incident happens, it impacts more than business operations. It impacts the reputation, impacts the shares, it impacts the industry,” she said.
Shoring up the fundamentals
Just as a nation’s identity isn’t solely about the land it occupies or the buildings along its skyline, good cybersecurity is more than the sum of the cybersecurity solutions deployed. With that in mind, what are some strategies that CISOs should adopt to shore up their organisation’s cybersecurity fundamentals?
For Dr Teoh, it is building resilience. She said: “It is no longer about who is being attacked, or whether they will succeed in their attempts. You will get attacked, whether you know it or not. The question is how fast can your organisation recover from the attack?”
“Organisations should have a comprehensive and updated cyber incident plan. That will give them good cyber resilience, giving them the boost of confidence from customers, stakeholders, and the public.”
“It's not about handling incidents only, but it's about the entire flow. It’s about communication, how you back up everything, how you restore affected systems, how you return to business as usual,” she elaborated.
On his part, Lek notes that the evolving cybersecurity landscape demands that organisations implement robust cloud security strategies with proper access controls, data protection, and privacy.
“Organisations should also invest in threat intelligence capabilities including threat information sharing, as it helps to further enhance the cyber posture by leveraging the knowledge, experience and capabilities of their partners,” he said.
Leave no one behind
Cybersecurity isn’t just the job of one team but is everyone’s responsibility, says Lek, who says a long-term success factor on this front is a commitment to diversity, equity, and inclusion in the company.
“We have to understand that there are different groups of audiences, from business users, and management, to IT users, and more. They have different levels of understanding of cybersecurity, which means they need different access to tools that help keep their cyber environment secure,” he explained.
“By acknowledging this, we are empowering our employees from all walks of life to challenge themselves and take their skills to the next level,” he said. “Organisation should focus on implementing regular security awareness and training to educate their employees on cyber threats and safe practices.”
“These should include cyber hygiene best practices and information asset protection with strong multi-factor authentications, as well as a cyber resilience program that continuously monitors, detects and responds to incidents and anomalies with safe recoveries.”
Forging bonds, learning together
Cybersecurity professionals should avoid the temptation to withdraw into a silo, advised Dr Teoh. They should instead proactively connect with other CISOs or security leaders to exchange notes and learn from one another, she says.
“Have at least one group that you are comfortable to share information with. This is one of the best ways to learn and to pre-empt future threats or areas of concerns.”
There are no set rules here, though it might make sense for such groups to consist of those from the same industry. And for those from the public sector, with peers from within the same ministry.
Dr Teoh recommends groups of between 10 and 15. Why not a larger group of 40 to 50? “When the group is too big, the information shared will be much [less],” she quipped.
The road ahead might be lonely, and the pressures faced by the CISO can be daunting in the extreme. But if there is one comfort, it would be that CISOs don’t have to journey alone.
Lek concurs: “Regardless of what industry you are in and how competitive it can get, there is one thing that every cyber professional agrees on: That we have to set our differences aside and join hands to fight cyber threats.”
“If one of us becomes the weakest link, for example, then the rest of the industry will get affected,” he concluded.