The CISO As Enterprise Integrator
Updated: Feb 5
“The whole is greater than the sum of its parts.” ~ Aristotle
Even in the 4th Century BC, it was understood that functions within an organization working together for a common goal produced better results than working independently. Somewhere between Aristotle and the modern MBA program, this lesson seems to have been lost as functional excellence became a criterion for bonuses and promotions. As a result of the movement towards digital transformation and organizational agility, the importance of enterprise integration is only now being rediscovered. Yet most organizations are hardwired for functional thinking, with budgets and senior management recognition systems as heavy influencers of silo behaviour.
Take the classic example of the Three Mile Island Nuclear Accident, where strong silos and a focus on functional excellence led to poor information flow between departments that needed to work together. The result? Lack of communications, internal competition and poor trust compounded a technical fault into a major accident. In their excellent book, Meltdown: Why Our Systems Fail and What We Can Do About It, Chris Clearfield and Andras Tilcsik clearly point out how in complex systems small mistakes and communication blockages can lead to catastrophic results.
Today’s businesses and organizations are becoming increasingly complex. The rush towards integrating digital technologies into every aspect of the organization dramatically increases that complexity. Supply chains have become massively complex and often harbour significant business risks. In many cases, supply chain risks are invisible to management. Design and manufacturing are no longer isolated from marketing and sales, since customer experience is becoming a significant competitive advantage in many industries.
We are working in ever increasingly complex organizations and it seems that the only person who cuts across the silos and looks after the “big picture” is the CEO. With the increasing external demands on the time of the CEO, efforts at enterprise integration and getting multiple functions to work together for a common enterprise objective often takes a back seat.
Organizational silos are a significant business risk!
An Important Role for the CSIO
The growing tsunami of attacks from cyber criminals and nation-state bad actors is seen as one of the top business risks by business leaders. A single breach could wipe billions off market value, cost millions in loss of downtime and system recovery, plus significantly damage both customer and employee trust in the company.
While cyber security lies squarely in the job description of the cyber security department, seeing enterprise cyber security as a functional responsibility is both naive and extremely risky. With 80% of cyber breaches the result of employee mistakes and behaviour, cyber safety becomes an enterprise issue, not a functional issue. All employees are important links to cyber security.
At a recent workshop on cyber security culture and risk mapping for a large European based global bank, it quickly became apparent that cyber safety was an enterprise issue. The exercise revealed several key departments that have a significant impact on overall cyber safety. However, they had minimal interaction with the Cyber Security department. These were Physical Security, Information Technology, Third Party Vendors and Human Resources. Each have their own functional objectives, budgets and challenges, yet in many ways all have a direct and significant impact on cyber security inside the organization. The C-suite also stood out as critical to overall cyber security; not just for their contribution to “tone at the top”, but for the significant number of cyber security exceptions generated by this group.
Silo focus and lack of overall alignment on key enterprise objectives often lead to sub-optimization, and hidden business risks.
In our experience, the CISO is in the perfect position to be the catalyst for organizational alignment since cyber security risks reside in every function and every individual employee action. The CISO is one of the few in an organization that has an enterprise-wide perspective on security risks and could effectively act as the enterprise integrator, helping to mitigate current and potential cyber risks to the organization. A breach may happen in one area or from one action, but its impact is enterprise wide and effects everyone. While market risk or operational risk are impacted by one or two functions, cyber security risk is inherent in every function and every employee.
Currently the role and responsibilities of the CISO is not well defined, and there is much discussion as to where the CISO should report and the breadth of their remit. Those companies that fully understand the enterprise and business risks of a cyber breach tend to have the CISO sitting on the senior leadership team. But in most cases, the cyber security function is still seen as a secondary technology cost centre reporting to the CIO or in some cases the Chief Risk Officer, CFO COO or even the Legal Counsel. According to a study by Georgia Tech Information Security Centre, 40 percent of CISOs reported to the CIO or CTO rather than directly to upper leadership. And the Global State of Information Security Survey 2018 estimated the financial losses as a result of reporting relationship of the Chief Security Officer.
We believe that seeing cyber security as a business issue and not a technology issue is key to putting in the proper organizational structure and enterprise objectives to allow the CISO to act as an enterprise integrator.
Cyber attacks are constant, growing and a serious business risk.
For a discussion on cyber security culture inside your organization and how to map culture drivers, contact us here.
Learn more from our article: The CISO and the Board