A lot has been said about of impact of the pandemic on technology transformation and that the hybrid work model will stay in effect for at least a few years to come. We have also seen an increase in cyber attacks in almost all sectors. Hackers have been able to exploit the vulnerabilities and take advantage of security gaps that may have been introduced as the result of pandemic. As the result, the expectations from the role of CISOs have evolved in 2020.
One such expectation from the role of CISO is to quickly act on re-architecting security as per current business requirements and to update (and consolidate if needed) the assets and the vendors that are working across the organizations. This will allow CISOs to have an updated view on the risk posture because of changes in the IT, adoption of new thinking such as Zero-Trust, adoption of cloud-based services, and re-evaluation of the risk due to third-party. Another change has been the expectation of the board and senior leadership on Cybersecurity and data privacy. Based on our discussion with CISOs from around the financial sector, Board and Senior executives now consider Cybersecurity as both business and IT issues and hence cybersecurity updates are now key discussion points in the board briefings. As the result, in addition to deep technical understanding, CISO also needs to develop a more strategic toolkit for ensuring that the key message on cybersecurity is delivered to the board in terms of risk impact on the strategy and business implications of cyber-attack.
The third change is expected because of the change in budget allocation. There are few researchers who believe that CISOs will be able to procure separate Cybersecurity budget (from the IT budget[1]), which will help CISOs to work on critical priorities in the cybersecurity space and execute them efficiently.
Some of the critical areas that CISOs should focus on during the post-pandemic era will be network security, MFA and privilege access management, 3rd party security, and ensuring secure remote access is scalable for employees that used to access the system only through desktop set-up.
In nutshell, expectations from the role of CISO have evolved in every aspect – policy formulation, technology controls evaluation, Governance and reporting to the board, influencing corporate cyber risk culture, and evaluating priorities w.r.t. budget allocation from a business needs perspective.
DSCI hopes to bring out expert opinions and have meaningful discussions in FINSEC 2021 around all the development in expectation from CISO role from a business and technology perspective. This session is most relevant for BU heads, CISO, and BISO– who are involved in planning and strategizing the investments in the organizations and closely working with CISO in respective organizations.
[1] https://www.securitymagazine.com/articles/91653-the-changing-role-of-the-ciso