CIO
opinion
CIO
OPINION
“
BUSINESS
LEADERS MUST
WORK WITH
SECURITY
PROFESSIONALS
TO PROACTIVELY
ASSESS SPECIFIC
RISKS TO THEIR
ORGANISATION.
Business leaders should regularly and actively
challenge IT and information security leaders
on how organisation developments and
innovations could open them up to new
risks. IT and security leaders must challenge
the business to communicate not just their
requirements, but also their aspirations
for how systems will be used by people,
www.intelligentcio.com
employees and customers, so everyone can
gauge potential risks. This is a two-way street:
as much as information security leaders can
push this dialogue, business leaders must
make time to listen, comprehend and discuss
the risks so that everyone can fully develop
their understanding. Building a culture does
not happen overnight. However, business
leaders can:
• Emphasise cyber-risk in all their discussions
• Encourage cross-departmental
cybersecurity collaboration
• Build awareness and education about
cyber-risks into all the training materials
of the organisation
• Link objectives, bonuses and pay to
the identification and management of
cyber-risk
• Set expectations that all projects,
business cases and initiatives address
cyber-risk and have consulted with
the CISO
• Question and require regular reporting
and updating from direct reports, the
CISO and other stakeholders on the
cyber-risk status of the organisation
• Mandate the creation or use of a cyber-
risk governance framework, management
standards and methodologies
In conclusion . . . leadership is key
The pace of change in today’s business
landscape is increasing complexity and
introducing new risks that challenge our
understanding of what good business
practice means in a connected world.
It is time to set our organisations on a
journey to becoming a resilient thriving
concern in this world. CEOs and boards can
look to the cybersecurity profession
as advisers, managers and fonts of front-
line knowledge, but not as the front line
of accountability.
Business leaders themselves must grasp the
challenge, set the dialogue and motivate
the robust understanding and response
required to stand the test of real-world
cyberattack. Cyber-risk is a business issue
and responsibility, not just the domain of
the experts. n
INTELLIGENTCIO
51