by Deryck Mitchelson*
Their C-level colleagues want to build shareholder value, drive growth, transform operating models, differentiate with new digital services and experiences, and a lot more. They want to make sure they’re fully compliant with the appropriate mandates and, of course, everyone needs to be sure departments are as protected as possible. It’s a big ask.
Depending on their context, the CISOs we talk to are liable to react in one of two ways. Some will be confident they have everything in place to facilitate these transformations. Others – the larger group – are likely to question if they have the right infrastructure, or the budget, to secure it all.
Whatever the response, let’s be in no doubt that CISOs aren’t thinking about endpoints or appliances. They’re focused on KPIs, operational efficiencies and cyber resilience. And their chief pain points are around modernization, evolving regulations and aligning security to business strategy. At this level, the tech rarely gets on the agenda.
This is an important point. All too often, security vendors and solution providers are more comfortable operating “in the basement”, focusing on delivering siloed solutions. Best of breed or not, we’ve all got to recognize the world’s moved on.
Our customers face a host of serious challenges right now – as well as a range of exciting opportunities, too. Talking about firewalls or endpoint protection won’t help security teams tackle the first or realize the second.
Plus, with C-suite and boards now less confident that their security leaders can deliver on their key business priorities, product conversations don’t help.
Security needs to be a strategic discussion. It’s no longer just about providing a robust defence. We need to engage with the business, on business issues, and show how our industry can help CISOs go beyond protection and facilitate and accelerate transformation across their organizations.
The digital imperative for organizations
From retail banks and insurance companies to government agencies and automakers, digital transformation is reshaping markets.
Evolving data products, agile digital ecosystems and new cloud-based operating models are being planned and adopted across sectors. Surveys tell us that 71% of businesses are increasing revenue through digital transformation. And, of course, we’re only at the beginning of the artificial intelligence (AI) wave.
Expectations around AI are sky high from CEOs and boards. Nine in 10 (92%) of tech leaders expect AI to be adopted in their organization in 2025 – more than any other technology. But confidence around security is anything but certain.
Organizations face multiple – known and unknown – security challenges as they experiment with and adopt generative AI (GenAI) applications and build out their large language models. In one study, 43% of cybersecurity professionals said their companies were concerned about data leakage as staff increasingly use GenAI, while 42% weren’t sure if any staff were accessing generative AI sites or what they were doing on them.
It’s not quite the Wild West, but it’s close. One thing’s for sure, digital transformation was already broadening the attack surface. AI has just made it that much larger.
Size is just one of the issues – another is complexity. The infrastructure driving digital transformations is intricate. Legacy on-premises, cloud, edge and hybrid environments are all part of the mix.
Plus, depending on the industry, every CISO will need to be aware of and address a whole bunch of regulations. Moreover, those regulations continue to evolve, with some of the latest including the EU’s Digital Operational Resilience Act (DORA) in financial services, its Network and Information Security (NIS2) Directive in critical infrastructure and its Cyber Resilience Act, and Federal Information Security Modernization Act (FISMA) in the US, to name just a few.
With competing priorities and finite budgets, CISOs are limited in what they can do. Even if this wasn’t the case, there’s still the issue of the shortage of skilled cybersecurity professionals – which is not something that can be easily overcome in the short term. Everything considered, there’s a lot of reasons to keep security chiefs awake at night.
Time to change the conversation on security?
With a different perspective on security, and with more strategic support from the vendor community, many of these dilemmas can be addressed in a very pragmatic way. As I’ve already touched on, viewing security as purely a defensive measure is to miss its very real ability to accelerate transformation.
Think of the earlier GenAI example. With governance and practical measures in place to solve the data leakage issue, teams across organizations can very quickly adopt – and get value from – their copilots and virtual assistants.
In the same way, organizations can accelerate the roll-out of new digital apps and services. While the move to cloud can be accelerated if boardrooms, shareholders and regulators are confident that cyber risks can be appropriately managed. The list goes on.
Suddenly, security – or more accurately, cyber resilience – becomes a cornerstone of digital transformation, something that actually delivers growth. This also means you can attach a value to it, rather than a cost, which often helps unlock additional budget and/or resource.
Moving from secure to cyber resilient
Right now, business models are almost uniformly reliant on digital technology. Disruption here seriously impacts operations and revenue. While the financial toll of a cyberattack varies, a recent report cited an average cost of $4.76 million per incident, without even considering the longer-term reputational impacts.
Traditional security strategies often focus on proactively identifying and mitigating threats. So we need to change the conversation here, too, and focus on cyber resilience.
Achieving true cyber resilience means adopting a more holistic approach. It’s not just about preventing incidents but about ensuring that, when disruptions happen, the organization can quickly recover and maintain operational continuity.
A key metric for assessing resilience is mean time to recovery (MTTR) – knowing how quickly systems can return to full functionality is crucial for understanding an organization’s cyber resilience level.
Cyber resilience requires embedding security into every layer of a digital enterprise. This holistic integration doesn’t just protect against cyber threats – it enables faster regulatory compliance, increases operational flexibility, and builds the confidence needed to drive innovation.
Security woven into the fabric of every workflow supports this agility, enabling it to grow alongside other workstreams from the outset. And it becomes a simpler task to align security with business goals.
Taking a platform approach for cyber resilience
So, how can a business become truly cyber resilient? CISOs already face significant complexity and budget constraints. For them, an ideal solution must be simple, cost-effective and integrated. Here, a platform approach offers a streamlined path to resilience.
A platform approach – where an organization uses one unified platform to manage and integrate security tools and functions – takes out the complexity. As CISOs know, managing a multi-vendor ecosystem of security solutions isn’t just complex – it’s costly.
Platforms significantly reduce operational costs and improve total cost of ownership. Moreover, a fully integrated platform can automate security management and free up precious resources – helping overcome staffing problems when cybersecurity skills are in short supply.
*Global Chief Information Security Officer, Check Point Software Technologies
**first published in weforum.org
By: N. Peter Kramer
