by David Koh and Nancy Luquette*
High-profile cybersecurity breaches are increasingly in the headlines, even more so in the wake of the COVID-19 pandemic. Attacks aimed at the financial sector increased 238% from February to April 2020 alone, with ransomware attacks growing ninefold over the same period. Coupled with a growing focus on the management of environmental, social, and governance (ESG) factors, establishing a strong organisational cybersecurity framework is becoming more critical than ever.
Security in Practice in Singapore
At the national level, effective collaboration between private and public sector leaders is key to ensuring a nation is cyber resilient. Cybersecurity is a team sport, and different segments of the community need to work together to ensure a more resilient and safer cyberspace.
Governments can put in place national initiatives to increase the broad level of cyber hygiene for internet users. For instance, last year, Singapore launched its Safer Cyberspace Masterplan to strengthen cybersecurity among individuals, communities, businesses, and organisations. The plan’s three strategic pillars aim to secure core digital infrastructure, safeguard cyberspace activities and empower a cyber-savvy population.
The SG Cyber Safe programme is part of the Masterplan to help enterprises improve their cybersecurity position. Some of the initiatives include the development of cybersecurity toolkits and a trustmark for enterprises with leading cybersecurity practices.
The role of industry and companies
There is also a role for industry partners to play. The government is working with industry to increase awareness and drive adoption of cybersecurity among enterprises. Singapore also encourages businesses to prioritise secure-by-design practices in conceptualisation, development, deployment and provision of digital products and services. To this end, Singapore has launched the Cybersecurity Labelling Scheme (CLS) to raise the security levels of Internet of Things (IoT) devices and support the adoption of best practices in incorporating security in product development life cycles.
There is also much work to do at a company level. The rising number of cyberattacks during the pandemic, coupled with the additional security risks of remote work, has forced almost all organisations to speed up digital transformation plans. As S&P Global reports, new security technologies continue to come to the fore as a result.
To make decisions that will drive their strategies forward effectively – and securely – senior executives and Boards will depend more on savvy cybersecurity leaders to inform their organisation’s security in line with its risk appetite.
To meet these needs, the effective chief information security officer (CISO) must hone four key skill sets to go from subject matter expert to strategic leader.
1) Taking a proactive stance
This means having the basics in place such as identity/access management, antivirus protection, patching, and effective physical security and access controls. It also means establishing continuous monitoring to detect threats from both external actors and insiders (an organisation’s own employees).
A CISO must also keep pace with the ever-evolving threat landscape. This should involve maintaining awareness of breaches in both their own and other industries, considering how these could affect their organisation and developing tactics to address potential threats.
Proactivity also necessitates practice. Organisations must develop the muscle memory to respond quickly and effectively to threats. Holding regular exercises will let both the cyber leader and support teams practise how their organisation will react when a breach occurs. Postmortem sessions also build any learnings into the cybersecurity process.
2) Seeking to listen and understand
To establish themselves as strategic partners, cybersecurity leaders must be proficient listeners. By listening and learning their organisation’s critical business processes and operations, CISOs will be able to protect and, if necessary, help to restore them.
Cyber leaders need a to grasp:
-A horizontal understanding to pinpoint the functions that are core to the organisation’s mandate and require the most attention and protection.
-A vertical understanding, which encompasses the cybersecurity principles and measures to implement that protect business operations and address risks, while balancing cost.
With this in mind, the CISO also needs to have a clear understanding of their organisation’s risk appetite. How much risk is their leadership willing to assume as they balance customer and stakeholder priorities with the need to secure business operations?
3) Becoming bilingual in technical and strategic language
To be effective ambassadors, CISOs should possess more than exceptional communication skills, in fact, they have to be bilingual. This means being fluent in technical language, as well as the broader strategic language of the board and senior leadership.
As an ally and partner to these key stakeholders, a cyber leader must learn how to frame cybersecurity as a strategic investment and core business imperative, rather than simply a cost centre. Cyber risk carries reputational and legal implications, which can translate into potential costs in the event of a breach. Investing in cybersecurity will help to prevent such costs.
CISOs should also frame cybersecurity as a differentiator, especially in industries where trust is critical to business relationships. Cybersecurity is an increasingly crucial element of customer expectations and, ultimately, retention, rather than simply an aspect of the product development process.
By moving from a defensive position to one that proactively enables the business to innovate, CISOs will be able to help their organisations transform safely and securely in this digital era. They will also become more influential among the business leaders and senior management.
4) Establishing regular dialogue
Cyber leaders should have regular conversations with business leaders and executives, so cyber risk management becomes part of daily decision making. Ideally, with a two-way dialogue, senior executives will see CISOs as critical partners with whom they share strategy, goals, and needs. CISOs, in turn, can outline potential risks, remediations and the impact of trade-offs to leadership.
Developing these four skill sets should help CISOs develop a clear understanding of cyber issues, instill in business leadership a sensitivity to risk, and, ultimately, help institutionalise a process for Board-level risk mitigation decisions. With these four skill sets at hand, cyber leaders will be well positioned for success.
*Commissioner of Cybersecurity - Chief Executive, Cyber Security Agency of Singapore (CSA) and Chief Risk Officer, S&P Global
**first published in: www.weforum.org