-Geoff Schomburgk, vice president, Asia Pacific, Yubico
The popularity of Working from Anywhere (WFA) arising from the pandemic has accelerated Digital Transformation for many organisations. As companies take on digital transformation projects and evolve their IT infrastructure, the risks are changing, too.
As cyber threats have grown in intensity and sophistication, cybersecurity has become a more strategic business priority and is no longer the sole responsibility of the CISO’s office; it has become a broader corporate responsibility.
Due to this corporate focus on cybersecurity, many organisations’ security functions have changed dramatically in recent years. Security departments used to be completely separate and were often perceived as an obstacle to new initiatives, however, this is now unthinkable due to the pace of modern business.
CISOs have had to evolve in their role to become transformational leaders who can empower the business and drive innovation.
The CISO’s role was previously limited to safeguarding an organisation against cyber threats and reducing potential risks. However, with ongoing digital transformation, the focus of the CISO has shifted and the role is rapidly becoming more strategic and influential.
Today, the role of the CISO is measured not only in whether the business suffers losses because of a data breach but also in how security preempts new initiatives and makes it possible to launch new services and applications to market faster.
Implementing robust technology solutions to protect digital assets remains a core component of the role of the CISO. However, they are increasingly facilitating Digital Transformation projects with Zero Trust frameworks that secure identity as the new perimeter.
Modern authentication is seen as a “continuous process” and identity is an essential building block for implementing a Zero Trust strategy.
Responsibility for regulatory compliance
As businesses become more digital, the CISO must be aware of the evolving regulatory and compliance landscape and data privacy and security implications. And because CISOs are expected to help with regulatory compliance, they also need to know about a host of regulations that affect the cybersecurity industry, including, where applicable, the Payment Card Industry Data Security Standard (PCI DSS), the Online Safety Act of 2021 and the Security Legislation Amendment (Critical Infrastructure) Act 2021 (SOCI).
Many key ingredients needed to implement Zero Trust security are already at a CISO’s disposal. They include identity and access governance, authentication, authorisation and privileged access management.
There are clear links between traditional identity and Zero Trust and organisations with proactive CISOs can begin to look forward to the myriad of benefits of identity-driven security.
The CISO needs to understand the business risks and, more importantly, the consequences of compromised corporate data. CISOs must ask themselves – What is the value of the business’s data, such as personal information, financial information or medical information, for employees and customers?
Who might want that information, and what value does it have for them? For CISOs, passwordless is one obvious security strategy that is highly secure, easy to implement and easy to use.
Moving away from passwords
The industry is on the cusp of replacing passwords and legacy Multi-factor Authentication (MFA) methods with modern open authentication protocols, like FIDO2. This will enable widespread adoption of phishing-resistant and easy-to-use modern MFA solutions like hardware security keys that are secure and easy to use, deploy and manage.
Ultimately, this will help CISOs eradicate an entire class of issues that have long been associated with passwords.
Many CISOs will now be encouraged to move towards a passwordless future to ensure their organisations are more secure. Implementing passwordless practices will help mitigate cyber risks and allow CISOs to spend more time on strategic projects.
It will also enable their security teams to be more proactive with security protection rather than always being reactive.
The CISO’s role is to educate
Adopting cyber-safe practices in an organisation is the best way to mitigate cyber risks. So, the role of the CISO is to engage and educate people at all levels, from the board down, on the importance of cyber hygiene and how easy it is to use MFA solutions to securely gain access to corporate systems.
Before implementing MFA, user education is essential, as employees will have become accustomed to passwords. Organisations will therefore need to put significant efforts into raising awareness, as they do with any digital transformation project, so their users can feel comfortable with the new passwordless technology.
My final piece of advice for CISOs
Organisations are now placing much more emphasis on cybersecurity and data protection, and the role of the CISO has become an incredibly challenging one as they are pulled in many different directions.
Consequently, experienced CISOs are now very well-rewarded, highly respected in their organisations, and often have a seat on the board. The best advice I can give up-and-coming CISOs is to stay educated and compliant and ensure they are valued as much as they should be.