Headline
Cybersecurity is a Team Sport
Enterprise security goes beyond tech leadership, and beyond the CISO’s office. Achieving cybersecurity and resilience is a team effort, and requires building a culture of security awareness.
Source: Image Source via Alamy Stock Photo
A chain is only as strong as its weakest link. When it comes to cybersecurity and resilience, the entire organization should be involved. Good security hygiene needs to be a fundamental part of company culture, and the organization’s executive leadership should make it clear that abiding by security practices is part of achieving business objectives.
Infusing security and operational resilience throughout the organization requires understanding the needs and workflows of all departments, how different teams use technology, where sensitive assets are stored, and who has access to them. To align security and business goals, company leaders must plan ahead, encourage proactive communication across departments, and foster and reward a collaborative culture.
Everyone Has a Role to Play
We believe cybersecurity risk should be viewed through the lens of overall business risk. A security breach can be devastating for an organization, with long-lasting impacts that reverberate across many facets of its operations. A data breach can significantly damage a company’s reputation, erode customer trust, and make it challenging to attract and retain talent. With that in mind, cybersecurity hygiene is as much about business strategy as it is about technological tools.
With so much at stake, the responsibility for cybersecurity and resilience extends far beyond the office of the chief information security officer (CISO). Successful organizations understand the multifaceted nature of security, and recognize that successful CISOs closely partner with their peers to define and implement the organization’s security strategy. In this article, we take a closer look at effective collaboration amongst these stakeholders, as further described below.
The CEO establishes the business strategy and is accountable for the operational risks that could impact the business, partnering closely with the chief operating officer (COO) who is responsible for the implementation of that strategy. It’s important that the CISO develop, communicate, and implement a security program that’s aligned to the business strategy, risk appetite, and strategic organizational goals, while simultaneously mitigating the organization’s risk. This is an area where the CEO, COO, and CISO can provide executive leadership and speak with one voice to ensure a security-oriented mindset is considered when developing policies and deploying technical and operational controls.
Likewise, the CISO and the chief technology officer (CTO) should collaborate to articulate a cybersecurity strategy that closely aligns with the organization’s technology plans, jointly assessing the risks inherent in existing and planned technology initiatives, and defining the controls posture needed to achieve compliance with relevant policies, rules and regulations.
We’ve observed that in many organizations, the roles of the CISO and the chief information officer (CIO) often overlap to some extent, with the CIO typically focusing on the features and functionality of information systems, while the CISO is more oriented toward security and compliance. Working together, these leaders can develop a highly functional system that aligns to the needs of the organization and helps deliver on business goals whilst enabling security, privacy, and compliance.
In addition to working closely with the stakeholders noted above, the CISO would benefit from forming ties with the organization’s chief risk officer (CRO) as well, with whom there are opportunities for collaboration to align on the overall scope of operational risk faced by the organization and identify opportunities to mitigate that risk through a strategy that appropriately balances people, process, and technology in a manner commensurate with its overall risk appetite.
Similarly, the CISO would be wise in also partnering with the chief compliance officer (CCO) to ensure that the development of the organization’s cybersecurity posture is informed by and aligned with relevant regulatory requirements which may span multiple regulatory jurisdictions and geographies.
A comprehensive understanding of the respective spheres of influence and requirements from the various stakeholders noted above can inform corporate policies and procedures, and serve as the basis for building a culture of cybersecurity awareness that’s reinforced with regularly recurring training and communication throughout the organization.
**Organizational Principles **
Putting this approach into practice, organizations often turn to cybersecurity frameworks, such as those developed by NIST or the Cloud Security Alliance, which can be instrumental in holistically and programmatically assessing security risks. For instance, the NIST framework sets out its core elements as belonging to one of the functions noted below:
Identify: Assess the organization, including how work actually gets done in different business units and where potential vulnerabilities can be found.
Protect: Put safeguards in place for sensitive data and critical services.
Detect: Define how cybersecurity incidents will be detected.
Respond: Document plans for responding to a cybersecurity incident and make sure impacted stakeholders are scoped into the response.
Recover: Plan for how the company will recover from a cybersecurity incident, both in the short term and over time.
However, these frameworks are just tools, and should not be conflated with serving as a security strategy. Building and maintaining a resilient and secure company means cultivating a culture of security awareness throughout. Effective collaboration between leaders and departments is crucial for the successful execution of an organization’s cyber strategy and its ability to provide a holistic picture of the state of cybersecurity in the organization, as well as individual team members’ understanding of their roles in supporting and executing the overall strategy.
Ongoing professional development and building cross-functional security teams are crucial elements of developing this culture of security aimed at identifying and preventing incidents from occurring. However, it’s equally important to consider how learnings can be gleaned from incidents in the unfortunate event that they do occur. That’s where practices like blameless postmortems come in. A sense of teamwork and a “we’re all in this together” approach are vital for building a cybersecurity culture that takes root throughout your organization.
Read more Partner Perspectives from Google Cloud
About the Author(s)
AMERS Financial Services Executive Trust Lead, Google Cloud Office of the CISO
Marina supports Google Cloud’s financial services customers in the Americas on Trust topics throughout their cloud journey, focusing on regulatory compliance, risk management, governance and oversight, cybersecurity and privacy.
Prior to joining Google, Marina held Legal and Compliance roles on Wall Street, overseeing the broker dealer compliance program at Thomson Reuters (now Refinitiv), leading US Compliance for the Technology, Human Capital Management and Corporate Services divisions at Goldman Sachs, and most recently, running the Digital Compliance team at BNP Paribas where she specialized in advising on emerging technologies including AI/ML and digital assets, and oversaw programs related to cybersecurity, data privacy, and cloud digital transformation initiatives.
Office of the CISO, Financial Services, Google Cloud
David is in the Office of the CISO at Google Cloud where he shapes cloud security and risk management practices for the Financial Services Sector. He has over 15 years of experience implementing security policies and strategies, protecting information assets, preparing and testing incident response plans, and developing security protocols.
David helps customers reduce operational risk by ensuring organizations have the people, technologies, and processes in place to enable business operations while preventing, detecting, and responding to threats. He also specializes in advising on compliance to laws, regulations, and standards that govern information security, including ISO, NIST, and FISMA frameworks.
Before Google, David worked in both the U.S. government at DoD and DHS and the financial services sector at JP Morgan Chase and Credit Suisse.