Ventana Research Analyst Perspectives

Increasing threats and challenges from cyberattacks, data breaches and other incidents have made digital security a critical concern for organizations. These dangers have devastating consequences, including financial loss, reputational damage, legal liabilities and operational disruption. Adopting effective and efficient digital security strategies is key to protecting data, assets and customers from risk.

However, ensuring digital security is not an easy task. It requires constant vigilance, adaptation and collaboration from all stakeholders, especially the chief information officer. The CIO plays a pivotal role in orchestrating digital security activities that enable organizational efficiency, minimize disruptions to operations and safeguard against emerging threats. The influence of factors external to the organization ‒ along with a deep understanding of business objectives ‒ must remain top-of-mind for the IT leader. Operating with constrained budgets and protecting limited resources from burnout restrict strategic options.

Despite these challenges, an effective CIO can lead and succeed by understanding the business of digital security. An organization’s “security posture” is the status of its networks and systems based on security resources and capabilities to manage its defense of and reaction to cyber threats. It reflects the organization's security strategy and effectiveness of its controls. Tracking and measuring security posture is important because an organization’s security posture is inversely related to its cybersecurity risk. As security resources and management capabilities improve, the probability of exposure or loss from cyberattacks, data breaches and other threats decreases.

An increase in data protection legislation (such as the General Data Protection Regulation {GDPR} and California Consumer Privacy Act {CCPA}) as well as industry-specific regulations (including the Federal Information Security Modernization Act {FISMA}, New York Department of Financial Services Cybersecurity {NYDFS} Regulation and Health Insurance Portability and Accountability Act {HIPAA}) necessitate the reduction of cybersecurity risk. Organizations must understand the level of vulnerability and exposure across assets, processes and people. Tracking and measuring security posture enables an organization to identify gaps and weaknesses in security measures, prioritize remediation actions, evaluate the effectiveness of digital security investments and demonstrate compliance with regulatory standards.

To measure and improve the security posture, CIOs need to use assessment tools and frameworks that identify and prioritize vulnerabilities and risks and evaluate the effectiveness of security controls and processes. These include:

• The National Institute of Standards and Technology Cybersecurity Framework, providing standards, guidelines and best practices to manage cybersecurity risk consistently and comprehensively.
• The Center for Internet Security Controls, offering 20 actionable and prioritized security measures to help organizations reduce the attack surface.
• Commercially available vendor platforms, ranging from predictive breach risk analysis to cloud-based continuous threat monitoring and scoring.

To improve its security posture, an organization must adopt and implement best practices that enhance visibility, protection and resilience against cyber threats. Examples include:

• Zero-trust models, assuming no trust for any entity or network and requiring continuous verification and authorization for access to data and resources.
• Multi-factor authentication, requiring users to provide two or more pieces of evidence to prove their identity, such as a password, code, biometric feature or device.
• Regular security audits, systematically examining and evaluating the security posture of an organization, including its policies, procedures, controls and systems. Security audits help identify gaps and weaknesses in security measures and provide recommendations for improvement.

Digital security is not just about acquiring and deploying the latest technology. While technology can play a vital role in enhancing the security posture of an organization, it is not sufficient by itself. The CIO needs to align the digital security strategy with the business objectives and priorities of the organization to demonstrate how investing in digital security can deliver positive business outcomes, such as:

• Enhancing customer experience by demonstrating a commitment to protect their data and privacy.
• Reducing operational costs and risks by preventing or minimizing the impact of cyberattacks and data breaches.
• Increasing workforce productivity and efficiency by enabling secure and seamless access to data and systems across the organization.
• Driving innovation and growth by leveraging digital technologies and opportunities without compromising security.
• Achieving compliance and regulatory standards by adhering to digital security best practices and guidelines.

It is important to align digital security practices with business objectives and stakeholder expectations. We assert that by 2025, after decades of digital transformation efforts, two-thirds of organizations will not resource business continuity as an investment priority to reduce operational risk in black swan events. By showing the value and impact of digital security, IT leaders can justify investments and gain support and buy-in from other stakeholders.

Digital security best practices vary by organization but generally map to existing business activities, such as governance, risk management, compliance, awareness and technology. The CIO or IT leader can take steps to ensure all stakeholders communicate effectively about digital security, including:

• Establishing clear and consistent communication channels and protocols for sharing information about digital security risks, incidents and best practices.
• Providing regular training and education sessions for workers and stakeholders to raise awareness and understanding of digital security issues and responsibilities. Stress the value of digital security to the organization’s success.
• Collaborating and coordinating with other organizations, government agencies and cyber communities to exchange information and insights about emerging threats, vulnerabilities and remediation.
• Being transparent and accountable for the organization’s digital security practices, policies and performance. Report breaches or failures promptly to accurately protect data.
• Choosing the most secure forms of online communication tools and platforms, such as encrypted messaging apps, virtual private networks and cloud services and ensure they have strong authentication and data expiration features.

The CIO or IT leader may face challenges convincing the chief financial officer (CFO) of the need and value of constantly investing in digital security software. One approach is to frame digital security as an ongoing and iterative process that requires continuous funding and evaluation, rather than a one-time project with fixed costs and outcomes. Highlight the benefits and value of digital security software for the business, such as enhancing customer trust, reducing operational risks, increasing productivity, driving innovation and achieving compliance.

Aligning digital security software with business objectives and priorities also demonstrates support of the organization’s digital transformation and modernization initiatives. Providing clear and transparent metrics and indicators demonstrating the return on investment (ROI) and impact of digital security software on business performance and outcomes ties investments to critical organizational goals.

It is important to collaborate with the CFO and other stakeholders to establish a robust governance framework and a product-centric approach for digital security software funding and decision-making. These methods can persuade the CFO of the necessity and importance of investing in digital security and foster a collaborative partnership for the organization.

An organization’s digital security program should never be an afterthought. It is integral to operation and success. CIOs can improve the organization’s security posture to align with business objectives and stakeholder expectations. Beyond building expertise with digital security technologies, IT leaders must communicate effectively with the management team ‒ especially the CFO ‒ to justify and optimize investment in digital security software. A better understanding of the challenges and opportunities that digital security presents and how CIOs can apply their role and expertise to create a secure and successful digital environment is beneficial now and in the future.

Regards,

Jeff Orr