Intelligent CISO Issue 83 | Page 65

BUSINESS surveillance

3 . Beyond a technical CISO
Before long , it becomes evident the CISO needs increased autonomy to evaluate and deploy security controls and procedures across an organisation . At this stage , decision-making power may still be restricted to recommending technology for defending , detecting and recovering from attacks . Whereas CISOs need the authority to implement more wide-ranging measures to protect areas such as cloud security and control access to all corporate systems with access management solutions .
While other executives may express concern about security initiatives slowing down time to market , this is the juncture where business leaders must back the CISO and support essential , new cybersecurity initiatives .
Although IT and security are now separate teams , the CIO and CISO should continue to work closely to balance IT goals with security requirements . This ongoing alignment is vital for the security and smooth running of the business .
4 . The empowered CISO
When organisations near full maturity the CISO is participating in strategic meetings with the board of directors , advising on cybersecurity risks , resilience and recovery capabilities . Working with the leadership team , the CISO proactively determines the organisation ’ s tolerance for risk and provides analysis to demonstrate changes in the organisation ’ s risk profile . In addition , they devise the appropriate strategy and security policies to stay within agreed tolerances .
At this advanced level , CISOs are also advising the board about the advantages and concerns surrounding emerging technologies such as AI . Cybersecurity is now an established element of strategic , as well as operational planning .
5 . Secure by design
Javier Dominguez , CISO at Commvault
For organisations that reach the ultimate stage , security is imbued within the fabric of the organisation . Following secure by design principles , employees enterprise-wide adhere to security processes and policies . It ’ s the point where cybersecurity is built into the foundation of everything a business does . Continuous testing of corporate systems is expected , and teams are wellpracticed at incident and data recovery .
Planning the maturity cycle
It ’ s safe to say when it comes to cybersecurity , no two organisations are alike . Each has its own unique technical infrastructure , ways of working and strategic goals . Public companies will have different objectives to private ones . And large businesses will have different resources and obligations compared to smaller entities .
Therefore , calculating the speed of progress through the cybersecurity maturity cycle is not straightforward . However , by understanding the characteristics of each stage , CIOs and business leaders can better align development of internal candidates or the recruitment of a CISO with the right skills and qualities for their specific needs . This will help build a level of maturity that matches their own organisation ’ s tolerance for risk , as the onslaught of cybersecurity attacks continues unabated into 2025 .
WWW . INTELLIGENTCISO . COM 65