Your Chief Information Security Officer (CISO) needs to be part of the force that propels your business forward. For many organizations, that isn’t true today — and it puts both the organization and the role at risk.
Many CISOs come from technical backgrounds in organizations that have traditionally separated business functions from the technology functions that supported them. That traditional background and separation can make it difficult for CISOs to integrate into the business strategy. Many are basically tech-savvy managers who deliver a cybersecurity status report to the board of directors.
“Many CISOs are part of the C-suite in name only, not in the actual role,” said Risk Advisory Services Cybersecurity and Privacy Managing Director Maxim Kovalsky. “They understand the IT part of the business, but CISOs need to really become embedded in the business strategy. They need to be at the table when business strategy is both developed and executed.” That’s because the core functions of today’s organizations increasingly depend on technology and security. Now, the CISO needs to help drive competitive differentiation, put regulators at ease, and engage with the board of directors to demonstrate the business value of cybersecurity investments.
If CISOs do not evolve — and if organizations do not allow for changes in the role — then business resilience is at risk.
Industry implications
- Health Sciences 1
- Manufacturing 2
- Technology 3
As healthcare organizations evolve new digital technologies to improve access to care, operating margin and workforce effectiveness, they must also evolve their cybersecurity management framework. That means the CISO must become a strategic transformation enabler to protect patient data and ensure the continuity of care.
Cybersecurity in healthcare faces a complex landscape of regulatory requirements, patient privacy concerns, and the constant threat of cyberattacks. CISOs need to participate in discussions about how technology can enhance clinical outcomes and operational effectiveness, to help ensure new technologies can navigate the complex cybersecurity landscape. Healthcare CISOs also need to be proactive in addressing emerging cybersecurity regulations and risks. The adoption of cloud-based technologies, artificial intelligence (AI) and third-party services will introduce new vulnerabilities that must be managed.
Cyberattacks on healthcare organizations can have devastating consequences — not only in terms of financial loss but also in terms of patient safety. CISOs must develop strategies that manage these risks to ensure that organizations can continue to operate even in the face of significant cyber threats.
Advanced technologies like the Internet of Things (IoT), artificial intelligence (AI) and cloud-based solutions are driving an interconnected digital transformation across the manufacturing industry.
This transformation is creating a convergence of operational technology (OT) with information technology (IT), and the traditional separation between these two domains is no longer sustainable. That means cyberattacks can now target both IT systems and industrial control systems, putting a manufacturer’s core production at risk. Third-party services can also introduce new vulnerabilities that manufacturers need to manage.
CISOs need to be involved in business strategy discussions, to help ensure that the risks from enabling technologies and partners are sufficiently managed. CISOs also need to develop strategies that combine cybersecurity with attack identification and mitigation to ensure that manufacturing operations can continue during and after cyberattacks.
Companies in the technology industry face unique cybersecurity challenges posed by the rapid pace of innovation, the increasing sophistication of cyberattacks and the dual role of being both a technology user and provider.
As companies constantly develop new products and services that maximize advancements in AI, IoT, blockchain and other evolving technologies, new risks emerge. CISOs must help ensure that business strategies incorporate cybersecurity together with product development, addressing emerging risks along with regulations governing data privacy, usage and other requirements. Data security and privacy are often product differentiators in the technology industry, where failures put an entire brand at risk.
The attack surface for a technology company can extend beyond its operations to its customers, as damage to key customer relationships can threaten business resilience. Technology industry CISOs play a critical role in ensuring resilience, driving growth and defining strategic paths ahead.
Resilience at risk
Business leaders are changing how they think about the importance and scope of cybersecurity.
“There is a recognition that disruptive cyberattacks are inevitable, based on what we’re seeing in the news,” Kovalsky said. “Large organizations with very sophisticated cybersecurity programs, and a history of making the right investments and decisions, are still falling victim to cyberattacks. It’s becoming virtually impossible to guarantee that X number of dollars will result in zero risk of falling victim to a cyberattack.” That’s why business resilience requires a strategy that operationalizes the concepts of withstanding and adoptability at the system level, and combines cybersecurity with attack identification and mitigation.
“This is leading to boardroom conversations that are elevating the role of the CISO,” Kovalsky said. Operational resiliency requires more than just using technology to keep systems secure and protected from potential intrusions. It also considers how the business can keep operating during a significant cyberattack. “Is the business resilient enough to continue serving its customers, maintaining its sales pipeline — all of the things that businesses need to do while key systems and business processes are being disrupted by a cyberattack?”
To help ensure business resilience, CISOs need to be involved in — and informed by — discussions that go beyond cybersecurity. CISOs need to expand beyond their traditional technical roles to a broader role that includes three personas.
Three personas
Effective CISOs need to evolve their roles to encompass three personas: An entrepreneur who is committed to business growth, a politician who is engaged with multiple audiences and a technocrat who leads and mentors the technical team.
“The entrepreneur is the first, and probably most important, persona required for the CISO to be successful,” Kovalsky said. “One of the priorities there is an obsession with the company’s products and customers. Out of all of the priorities listed, that is number one.”
But how does that look, and where would a CISO demonstrate a product and customer focus?
“The best place and time to do it is in interactions with the board of directors,” Kovalsky said. Increasingly, boards are discussing cybersecurity, and that can become a larger conversation about cybersecurity and the brand. “Board members are seeing the news, maybe seeing competitors suffering from attacks. Naturally, questions arise. It’s somewhat up to the CISO to define how those interactions look.”
“Board meetings and presentations are the best opportunity for a CISO to demonstrate their acute awareness of what the business is about and how their work ties into it. They’re not just talking about the number of attacks and intrusion attempts — they should be elevating that conversation to where the customer is at the heart of the concern,” Kovalsky said.
The cybersecurity status report is where most CISO roles start and end during a board meeting. That’s familiar territory, and it matches expectations. To go further, CISOs need to:
- Ensure you understand the customers or clients and the target market.
- Ensure you understand the positioning of products or services in that market.
- Articulate the role of cybersecurity and operational resiliency in delivering products and services.
- Articulate how the work and investment in cybersecurity and operational resiliency are creating a competitive advantage.
- Suggest how the organization can use that advantage to gain market share.
- Suggest how the organization can communicate that advantage to the customers.
As CISOs learn how to identify, articulate and share the value they bring to strategic discussions, there are many types of value to consider.
Expanded business value
To become entrepreneurs who are helping to build business value, CISOs should be ready to discuss their role in resiliency, growth and other business issues across many scenarios.
“Let’s talk about positioning a new product for rollout,” Kovalsky suggested. “When we’re communicating with consumers — developing a messaging campaign for a new business, line of services, or products — that’s a perfect opportunity for the CISO to jump in.” The CISO should be informed about the rollout early in the pipeline and should ensure they are doing what’s required to build resiliency into new and existing business processes. Beyond resiliency, though, they can consider:
- How and where should our customer messages include points about cybersecurity and protecting the data that customers entrust to us?
- How do those messages change if the audience is a consumer, a business-to-business enterprise, or a third party with clients?
Data protection might not be part of your organization’s customer messages — but maybe it should be. “Every company is in the business of collecting data,” Kovalsky said. “There are many opportunities for messaging about how the company protects the data entrusted to it. Many banks, for example, are increasingly doing that. They’re not only messaging about it, they’re putting money where their mouth is for privacy and data security, even providing training and awareness to consumers.”
Many bank and credit card apps offer tips about data safety and provide proactive alerts about possible fraud.
“You don’t necessarily get that in the other apps — that’s what I mean about taking market share with a differentiator in the marketplace,” Kovalsky said.
Security tips and proactive alerts build interactive customer relationships that can improve customer engagement and retention. They break down a wall and move a customer from being a service user toward being a brand advocate.
By discussing customer and product development, CISOs can earn their space at the table. “They earn the trust of the rest of the C-suite when they demonstrate that they're entrepreneurs and that they're obsessed about growth — not just protecting value, but doing their part to grow the company.”
As companies form strategies for growth, they need to know where business model changes could make them subject to new risks and regulations.
Expanded risks
As technocrats, CISOs can offer an important understanding of strategic risks. Many companies are making strategic moves for cloud-based products and processes, often choosing a single cloud provider where they can negotiate the best pricing or expanded capabilities. However, these moves can create risks, changing the controls that are required to ensure cybersecurity and business resilience. Similarly, strategic implementation of AI technology, third-party services and other capabilities can push boards to discuss cybersecurity.
Beyond these risks, business leaders are also starting to see emerging cybersecurity regulations. “Some recent regulations are forcing the board to ask about and get involved in information security — and to ask certain questions of the CISO,” Kovalsky said.
For example, the New York State Department of Financial Services (NYDFS) part 500 specifies cybersecurity requirements for insurance and financial services companies that operate in or serve residents in the state. The regulation was created in 2017, but new revisions took effect in November 2024. “A company that’s subject to the regulation needs to file an annual report attesting that it’s compliant with those requirements — and the CEO and CISO have to sign on that report,” Kovalsky said. “It’s forcing the CEO and the CISO to have conversations that they might not have had, because now the CEO is required to attest to a regulator about complying with regulations that they might not fully understand. How should the CISO be communicating to the CEO, to provide the CEO with a level of confidence and a level of comfort to sign on the dotted line?”
How can CISOs prepare to answer these bigger questions and participate in bigger discussions?
Expanded role
CISOs need to become politicians campaigning for their roles across organizations of every size, industry and regulatory environment. “I’ve seen the CISO role done well, embodying all three personas, in companies that are not regulated and that don’t have a massive cybersecurity budget,” Kovalsky said.
To successfully elevate their roles, CISOs might need to proactively seek out collaboration and discussion with other leaders. “Maybe reach out to stakeholders, with a little bit of humility, to say that there are some growth areas you want to pursue. CISOs who are being transparent with their peers and superiors are sometimes pleasantly surprised about the opportunities that are then afforded to them,” Kovalsky said. “A CISO wanting to improve the way they communicate and present to the board, for example, may want to try role-playing with a couple of board members. Are there board members willing to sit down a couple of times, to do a couple of dry runs and give you some pointers? Or, spend some time with a CEO or CFO in a similar scenario, just reflecting on strengths and opportunities and then developing a plan to grow into those areas.”
This kind of development is important for both the CISO role and companies overall. “If CISOs aren’t successful at embodying the entrepreneur and politician personas, and then guiding the technology within their companies, then the digital transformation that’s happening within enterprises is going to run away from them,” Kovalsky said. “A CISO who is not in touch with the business, and is unable to communicate and build relationships with those who are most important internally and externally, will be stuck in a reactive mode as companies adopt and implement new technologies.”
Content disclaimer
This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.
Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.
For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.
Trending topics
No Results Found. Please search again using different keywords and/or filters.
Share with your network
Share