Smoothing the Intersection of Cybersecurity and Innovation
“CISOs cannot be the only [party] responsible for security,” said Stéphane Duguin, the CEO of the CyberPeace Institute.
As the digital world rapidly evolves, CISOs around the world face the tough challenge of defending their organisations from a constantly expanding range of cyber threats. So how should CISOs balance forging ahead with innovation and maintaining security?
“CISOs are too often the end of the chain; tons of decisions are often made without the CISO.”
– Stéphane Duguin, CEO, CyberPeace Institute
Duguin was univocal that cybersecurity should be a collective responsibility. In his view, the desire to innovate is all good and well. But why must the ball invariably end up in the CISO’s court?
The same side of the fence: Innovation and cyber security
“To disrupt and innovate is fine. However, it needs to be clearly understood by each and every manager that cybersecurity issues can potentially arise from new initiatives. This should be on every one of their performance evaluations – no one should get a bonus or a raise if they are not meeting their cybersecurity KPIs,” he said.
“CISOs are too often the end of the chain; tons of decisions are often made without the CISO. And at the end of the day, someone simply goes to the CISO and says: ‘Oh, can you secure this by the way?’”
Early involvement in a project is vital, says Alexander Antukh, the CISO of AboitzPower. He notes that supporting digital innovation without sacrificing security starts with early involvement in projects to integrate "Security by Design" principles, ensuring that security initiatives are aligned directly with business goals.
“CISOs must understand the systemic nature of digital risk and contextualise innovation within this landscape. Regular communication between security and innovation teams ensures that both agendas progress cohesively, minimising vulnerabilities while maximising business value,” he said.
CISOs should also focus on business outcomes: “The key to communicating this delicate balance is to use the language of business outcomes. Instead of detailing technical risks or security measures, CISOs need to focus on financial metrics such as potential impact – revenue loss, brand damage, and regulatory penalties.”
Risk or compliance?
Should CISO adopt a risk-based approach or compliance approach? Is there a middle ground?
“If you just want to be compliant, I will say that I don't think this works. Because just being compliant [alone] is going to put you behind the curve,” observed Duguin.
On that front, Duguin cautioned that the regulatory environment is changing very quickly, citing new regulations such as the Cyber Resilience Act which came into effect last year and the Digital Services Act in August.
“And that is just in Europe. Multiply this by the number of different regulations that are popping out left and right around the world – for CISOs operating in global companies, it's already a legal headache,” he said.
What would a risk-based approach look like? “The first question that we need to ask is, who wants to target me? What would be the intent? And then what kind of capabilities do they have? Knowing this makes it easier to design your defences and more importantly, to prioritise, because you cannot defend everything at the same time.”
“Cyber security is an operational field, so it's better to start with risk. Start with a flat landscape analysis to identify measures, and then to investigate whether these measures will enforce compliance. Is there something missing? If that’s the case, work to address that,” summed up Duguin.
“While both risk-based and compliance approaches have merits, a risk-centric strategy offers a dynamic framework that adapts to evolving threats. In this view, compliance failures are treated as yet another category of risk, potentially leading to financial and reputational losses,” said Antukh.
“This approach, along with robust risk quantification processes, allows [us] to consolidate the message and appeal to the executive audience. With that said, once the risk of non-compliance is deemed unacceptable, it is certainly possible to use compliance requirements as a baseline.”
Preparing for the future
When it comes to preparing for the road ahead, Antukh recommends adopting a multi-faceted approach to upskilling. This means formal training, workshops, and real-world exercises, as well as fostering a culture of learning and curiosity in the team.
“CISOs should encourage team members to attain certifications, connect with their peers and participate in industry events, organise learning sessions within the company, and, if possible, contribute to open-source projects,” he said.
For Duguin, the key is creating an environment where failing is not a name-and-shame game and ensuring diversity in cyber security teams.
“Everyone in cybersecurity fails. Everyone is going to make a mistake. The whole point is to empower people to feel safe, that they can admit that they failed and learn from their mistakes. And then you can improve your security as fast as possible.”
“Think also about diversity, including gender. You don't end up leading a team of guys all from the same part of the planet. Because in front of you, you have a very diverse crowd of attackers – it takes a very diverse brain to engineer a response.”