A CISO's perspective, how do you collaborate and utilize cybersecurity value with your peers/stakeholders and influence the organisation?
Yaroth Chhay, Senior Vice President & Head of Information Security Division at ACLEDA Bank Plc., Cambodia
Yaroth Chhay, Senior Vice President & Head of Information Security Division at ACLEDA Bank Plc., Cambodia
Today, manufacturers and most industries are investing in Industry 4.0 innovation and leveraging cutting-edge automation, AI, and hyper-connected infrastructure technologies to compete in a global market for their competitive business advantage.
The increasing use of AI/ML/DL technologies and soaring demand for Cloud Computing, IoT (Internet-of-things) & EoT (Enterprise-of-things) devices are likely to strengthen market progress and modernize their digital products and services. Modern technologies are more vulnerable and expose critical services to cyber risks, leading to cyber-attacks and could significantly disrupt the process of business transformation and business strategy. Hence, it requires a high level of multiple security measures to manage and mitigate these risks into an acceptable level of business risk appetite and consideration for alternative solutions to control the risk and enable critical business processes to move forward.
What significant roles of CISO or Cybersecurity leaders come into play to enable business processes?
In the last few years, CISOs or security leaders were only required to be technical experts, but the situation has changed. Now, the roles of a CISO are unique, dynamic, diverse, and challenging. They are required to develop traits that go well beyond the technological stack. In an organization, we are positioned to set a security strategy for operational and tactical security implementation, including cybersecurity and privacy, and data asset protection, while ensuring that the cyber risk is kept at an acceptable level. Our ultimate goal is to ensure security and privacy compliance risks are mitigated and maintained by securing and protecting the organization'sorganization's critical business processes from security threats, data breaches, and other cybersecurity events.
As a leader, CISO or security leader needs to set the vision, build a strategy that aligns with the business goal, and ensure that there is no misunderstanding about the goal. Our primary focus is to understand the business strategy and addresses the security challenges, and prepare the organization with the right sets of tools, skills, and capabilities to defend against security risks.
The road to success is not a cakewalk, as there are many hurdles to achieving the goal.
To overcome all these struggles, CISOs or security leaders need to understand business context requirements and adapt themselves to the modern security perspective and flexible cybersecurity frameworks and approaches to transform cybersecurity into a business function and enable business growth.
How do CISOs or cybersecurity leaders create more value for businesses and shareholders?
Cyber value is a value-centric approach. When integrated into the cybersecurity risk management process, it enables organizations to prioritize the cyber risk within an acceptable level. The value-centric approach will help business executives answer questions such as, "What is the ROI on cybersecurity investment?" When cyber risk management is conveyed in financial terms that every company stakeholder understands. It leads to better corporate decision-making and cooperation.
All organizations, private or public enterprises, are exposed to cyber-related loss or cyber risk. Hence they must be communicated to the organization's executives. Most executives have three significant areas that need communication from their cybersecurity team:
• Cyber risk status: Bad news should not surprise them. The board of director members and C-level can invest in financial resources and call for support from other business functions.
Cybersecurity is not an IT issue. It is a business issue that affects the company's bottom line. It can drive up the cost, affect revenue, and also disrupt the ability to innovate and gain or maintain customers.
• Cyber risk analysis: As the owner of the enterprise risk, they need to make high-priority risk decisions that are timely and actionable.
• Cyber risk posture: They must communicate the organization's cybersecurity story to various employees and partners, sometimes on the spur of the moment.
Cyber risk quantification enables security and business discussions to occur in a language that everyone understands. Quantifying cyber risk in monetary terms allows businesses to assess the cyber risk of various efforts. Executives may weigh the potential cost of cyber risk events against the value of revenue, customer, and market share growth target.
Cyber value is derived from high-level Cyber Risk Management, Cybersecurity Strategy, Cyber Compliance, Cyber Culture, and Cyber Resilience that create the key value-focused, enabled, and built business-trusted from all levels of business stakeholders.
CISOs or security leaders definitely need to determine and understand the key area and potential peers/stakeholders' expectations and value to the organization. Communicate and deliver this effective positive business outcome to them at the appropriate level of business risk appetite.
CISOs or security leaders can deliver, convey and translate cybersecurity strategies, security goals, and technical terms into the business language to explain potential business outcomes derived from the results of cybersecurity programs to meet the objective of what business leaders need and understand the goal of the organization. Strong communication skill is even more vital in the cybersecurity leader's role, which is considered highly complex and ambiguous by decision-makers. Cyber leaders can leverage this effective communication and link cyber resilience to strategic matters which executives and directors do care about: corporate value, reputational and business growth, customer retention, capital raising, and success in mergers and acquisitions.
