The Digital Transformation and the Role of the CISO
Cybersecurity needs to be at the heart of the digital transformation, but organisational models will have to evolve
Cybersecurity is in the process of becoming an essential component of any organisation’s digital transformation journey. There is no way around this, especially as policymakers start dipping their toes into privacy and security issues, and societal norms are shifting on the topic.
Most new technology layers enabling the digital transformation need to be protected from interference, intrusion, or corruption. This is especially the case across industry sectors seeking to take advantage of the enormous opportunities offered by driverless vehicles and the logistics sector – amongst others – could be unrecognizable in ten years’ time.
New technologies will also generate and feed on massive amounts of data – most of it sensitive or private – that will need to be collected, processed, and safeguarded in a way that is both sensible and ethical. The concepts of security by design and of privacy by design will inevitably become any organisation’s best allies in its innovative endeavours and must be taken seriously by all digital transformation players, especially as the regulatory and social contexts become harder to navigate.
There is no doubt – in our opinion – that organisations which put information security and privacy at the heart of their digital transformation from the start could obtain a real competitive advantage in the mid-to-long run.
As a matter of fact, the recent launch of the General Data Protection Regulation (GDPR) in the EU is changing dramatically the incentives landscape for all businesses active in Europe. In addition to the fines of 4% of the global turnover, firms are now required to report any relevant data breach to the regulator within 72 hours. This will require capabilities of detection, analysis and reaction, which go far beyond the scope of the security teams and will force many corporate stakeholders to work together on those matters (security, IT, legal, DPO teams, senior management etc…). As such, the GDPR could be a painful lesson as to why cybersecurity is necessarily a transversal matter for organisations of all sizes.
Finally, and perhaps most importantly, respect for privacy and the protection of personal data is likely to become a true competitive advantage as our societies become increasingly warry of these issues.
This shift is well illustrated by the first complaints filed under the GDPR framework. Privacy activists such as Max Schrems or the French Quadrature du Net, for example, have already started to drag high-profile tech companies (Facebook, Google, Instagram, etc…) into what could become lengthy legal proceedings. Depending on how the regulators react, this could have deep implications on how data-driven businesses are to operate in Europe.
Increasingly, security and privacy become intertwined, but it makes little sense from a corporate governance perspective to allow a new privacy organisation under a DPO to grow in parallel to – or in conflict with – existing security structures. Synergies are obvious and need to be leveraged, and where security practices are deemed dysfunctional or in need of improvement, this could provide an ideal opportunity.
In fact, it could be the start of a major evolution around corporate perceptions of security and privacy, from burden, annoyance and costs, towards becoming central management functions. But organisational models will have to evolve as a result to accommodate the truly transversal nature of security and privacy matters and carve out a niche for those new corporate functions.
At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.
Not in its functional existence – IT security is more essential than ever – but in its corporate prominence. Having failed to project their roles beyond the tactical and technical fields for the best part of the last decade, many CISOs could find themselves pushed down the organisation while CSO and DPO roles take centre stage at the top.
With those new roles should come new people and a new focus, and probably a different way to approach security matters and talk about them.
We could be at the start of an exciting decade for all security professionals.