Chief Information Security Officer (CISO): Seven steps to success

The former racing driver Mario Andretti famously said: “It's amazing how many people think that brakes are for slowing the car down.” And he was right – brakes are for making the car go faster, safely. Which perfectly sums up the role of cyber security in today's organizations: to enable them to enjoy the fullest benefits of digital transformation, while managing the many risks.

COVID-19 has magnified both the opportunities and threats of digitization. Organizations have made incredible strides in remote working and collaboration for employees, as well as improving digital customer experience. But this has also reminded us that physical perimeters no longer exist. With increasing reliance on third parties, and the proliferation of Internet of Things (IoT) and other devices, cyber security now involves complex ecosystems with a dramatically increased threat potential.

In a marketplace where speed to market is essential, cyber security teams are now responsible for building trust and resilience, by forging a pragmatic security culture and helping embed secure by design thinking into every aspect of digital infrastructure and data. To do this, they must see themselves as enablers and facilitators, helping others deliver services and brands that deserve cyber trust among customers, employees and society at large.

To find out more about how cyber security roles are evolving, KPMG professionals spoke to a number of Chief Information Security Officers (CISOs) from major organizations, from a wide range of industries and regions, as well as to KPMG's cyber security specialists from around the world. From these insights we have identified the seven actions that CISOs should take to help keep organizations resilient and competitive. We invite you to explore these actions and encourage you to contact us to learn more.

In the study "From enforcer to influencer. Shaping tomorrow's security team", the seven most important recommendations are set out:

As a CISO, it is up to you to point out possible cyber risks to corporate management in their strategic decisions. This is about balancing business objectives and security. Moreover, CISOs are increasingly becoming public figures who are expected to represent the company and convey trust. To increase your influence, it is important to think and act pragmatically – and also politically – while building consensus within the company.

Your responsibilities as a CISO are constantly expanding. You need to ensure data security, maintain your company's resilience even after disruptive developments and also keep an eye on compliance risks and cybercrime. This cannot be achieved unless you are in constant contact with other decision-makers such as the Chief Risk Officer (CRO), Chief Data Officer (CDO) and, of course, Chief Information Officer (CIO). This exchange, whether it is formal or informal, will only succeed if you are open-minded and dare to think outside the box.

Today's CISOs should be skilled communicators. This means convincing other decision-makers personally that cyber security belongs in the DNA of the company. This can only be achieved if you raise awareness of the issue as a whole and ensure that it is included in all management and leadership decisions.

CISOs will have to enter into collaborations and hire new, sometimes unconventional, personnel to help the company meet digital challenges. However, we may also see cyber risk teams later shrink because the issue is perceived less as a stand-alone challenge and more as part of every strategic and business decision. 

Automation has many advantages. It can take care of repetitive tasks, increase efficiency and alleviate staff shortages. It also allows for standardization in implementing compliance requirements and security measures. This means that responses to cyber incidents can then be sped up and optimized.

We are moving towards a hyper-connected world where the Internet of Things (IoT) and 5G networks are massively increasing efficiencies and creating radical new business models.

At the same time, more (data) risks are emerging for companies. This calls for a new data-centric security model, for example based on the zero-trust principle, which at the same time can quickly adapt to further innovations, both technically and strategically.

Companies have long been part of a complex ecosystem in which suppliers and other partners are connected by sharing data and services. Conventional contracts and liability models will soon appear unsuitable as a means of facing up to the challenges together. We therefore need a new approach based on cooperation to create security for all parties.