Three things CISOs need to do differently in 2020

Security leaders need to connect their work to broader business goals and create a culture of learning to attract talent.

How CISOs can gain a better understanding of their cybersecurity attack surface

Chief information security officers need to focus on communication, collaboration and culture in 2020 to improve cybersecurity and boost the profile of the security team as well. Security professionals in general need to think beyond systems and technology to connect security priorities with overall business goals, according to a new report from KPMG.  

KPMG's new report, "All hands on deck: Key cybersecurity considerations for 2020" offers advice about how CISOs can improve communication and collaboration skills as well as build a work environment that will attract the best new talent.

Build a modern culture

Dani Michaux, a principal at KPMG Cyber Security Services, said that security veterans need to accept that the world is always changing and assess the best available tech to best defend the enterprise.

The entire security team needs to be a learning organization to attract talent and keep up with new threats and new defenses, Michaux said. Developing this attitude will let prospective employees know that they are joining a company that is open to innovation and experimentation, not one that hyper-risk-averse and slow moving.

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 

To reinforce this culture, security leaders should think small and act fast and use the cloud to break things, rebuild, and improve.

"Security teams have to realize that it's OK to break things as long as you learn something from it and quickly and apply that knowledge productively," said Caleb Queern, a director of KPMG cybersecurity services.

CISOs should take an honest look at automation in 2020 as well. Ask what artificial intelligence can handle and what requires human attention. The goal should be to automate at least 50% of the basic controls of the security environment.

Finally, security professionals should be able to read and write basic code. This has two benefits: it will earn the respect of DevOps engineers and it will help security pros know when to influence the development process.

Collaborate with other company leaders

KPMG recommends that security teams communicate with different business heads about what the company really needs to worry about. A CISO should make it a point to join the conversation about digital transformation projects and serve as the connective tissue between the business leads, digital team, and security group. Developing common goals will improve communication and the chances of success, the firm says.

Working more closely with colleagues outside of IT will also help security leaders understand the company's competitive edge in the market, KPMG says. Whether this is intellectual property, pricing power, or the supply chain, that business element requires the best cybersecurity.

Europe's General Data Protection Regulation and California's Consumer Privacy Act are just the start of regulations around data and cybersecurity. To deal with this increased scrutiny, CISOs should work with their corporate colleagues to prepare for new laws that are in process. Businesses need to master data analytics as a discipline and answer these questions, according to KPMG:

  • Where is the data located?
  • Who owns it?
  • What's being done with it?
  • What rights and permissions to data do users have?

Security team leaders also should hire IT pros who are familiar with the regulatory environment, particularly in the healthcare and finance industries. This person can lead ongoing testing of the company's regulatory compliance program.

SEE: Secure your data with two-factor authentication (free PDF)

Expand your communication strategy

One of the biggest challenges for security professionals is translating their knowledge and expertise into a broader business context. 

KPMG recommends that CISOs work to understand and communicate the connection between business enablement, business resilience, and information protection.

If CSIOs become more comfortable speaking the language of business, this makes it easier to ensure that security messages are understood and implemented. CISOs need to visualize a company's specific operational priorities and partner with other business heads to incorporate those insights into the company's cyber security plan. 

Security leaders also should work closely with corporate communications and customer service teams, as reputational damage from security breaches becomes more and more important. The security team should be part of the messaging strategy to explain the situation and reassure customers.

Also see

Cybersecurity and secure nerwork concept. Data protection, gdrp. Glowing futuristic backround with lock on digital integrated circuit.

Image: Getty Images/iStockphoto