Go back just five or six years ago and cybersecurity was in a very different place in terms of having a seat at the boardroom table. But the relationship between Chief Information Security Officers (CISOs) and the board is changing. Security is no longer seen as a cost centre to help ‘keep the lights on’, but an important investment for the business.
The language between the two functions is also changing. Today, many CISOs not only regularly meet with other executive leaders, but also translate the importance of their work, their teams and their mission in terms of business value. Now, the board is starting to understand what security does and needs, and the security function is starting to understand what the board is looking for.
This speaking of a common language means the security function can prove its value to the business – as an enabler rather than an inhibitor – and makes it easier for security leaders to get the support and investment they need. CISOs still have to justify the spend, of course, and show the results of that investment, but it is less of a battle than it used to be.
What we are seeing is that security, perhaps for the first time, is staying close to the top of the priority list, despite the current economic challenges. Businesses understand how important it is to invest, and spending on cybersecurity is at an all-time high, while ransomware payments continue to go up as well.
Given the recent economic downturn and with many businesses looking for ways to reduce their costs, the question is whether it will become more challenging during this year for CISOs to secure funding in the same way. Will they be expected to do more with less?
It is possible to do more less. But instead, what we should be asking is whether can we do security differently? There is an opportunity to be more innovative, getting better results without having to throw more money at it. Do not assume that by doing more or adding more will make you more secure. It is a different way of thinking, whether it’s about technology, processes, or training, to get the right results for that business – and every business will be different in this respect.
Going back to the idea that the board and security function are now more aligned and speaking the same language, it becomes much easier for the CISO to show their worth by demonstrating how much money has been saved. This is particularly the case when times are tough.
One way CISOs might be looking at cutting costs is through consolidation of vendors, which could make things a bit simpler and more agile for the business to grow. It’s certainly something that the board can easily understand without it becoming too technical.
But there’s also a risk that too much consolidation could impact the business. Looking at the threat landscape right now, any vendor consolidation needs to be considered carefully to avoid compromising the business.
Looking at the year ahead, we recently asked a panel of CISOs what they believe is the most important thing for CISOs to prepare for in 2023.
Collaboration is most important, with security and the business working as one entity rather than in isolation. Understanding how the business works and communicating with different departments to help mitigate threats and come up with strategies than work in harmony, as well as the key pain points within their own industries, whether that’s manufacturing or financial services.
But we all agree that uncertainty is the key word for this year and CISOs will have to think out of the box to ensure they continue to keep the business safe. This means uncertainty in terms of budgets, the economy, the threat landscape – and with uncertainty comes chaos. Sadly, cyber criminals thrive in chaos. They are not going to slow down, always looking at new and ingenious ways to carry out attacks and take advantage of it.
Security is going to be more important in 2023. The board needs to understand this and that in the year ahead, security needs more attention, support and potentially investment than ever before.
For more information on this topic, visit the Menlo Security website here.
Mark Guntrip Senior Director, Cybersecurity Strategy, Menlo Security