In this Help Net Security interview, Phil Venables, CISO at Google Cloud, discusses the results of a recent Google report on board collaboration with the C-suite — particularly the CIO, CTO, and CISO to stay current with trends and prioritize security, rather than treating it as an afterthought.
He emphasizes how regular talks with security leaders help board members stay informed about their IT modernization journey’s status and the various threats impacting the organization.
Some argue that boards focus too much on cybersecurity as a standalone issue. Why do you think boards must view cybersecurity within the broader context of technological modernization?
Traditionally, we are seeing a growing trend around investing in cybersecurity, but not in modernizing the foundational technology behind it. Boards should prioritize conversations around how an organization can modernize their technology infrastructure, leveraging architectures where security is built in, not bolted on, to drive better security, agility, and efficiency.
Legacy systems may not be built or designed to be as secure as more modern technology infrastructure (typically cloud or cloud-like on-premises). Over the last decade, there have been numerous instances of businesses making significant investments in security tools, but failing to upgrade their overall IT infrastructure or modernize their software development approach, leaving their entire technology platform vulnerable to attack.
Without modern infrastructure, an organization is not secure. Boards must view their approach to cybersecurity through this lens when making business decisions to ensure they reap the full benefits of a modern approach to threat protection.
How can boards balance fostering innovation and ensuring that security remains a priority throughout the organization’s initiatives?
Organizations everywhere are seeking to leverage the power of emerging technologies. We’re seeing tools like generative AI enable organizations to improve, scale, and accelerate the decision-making process across most business functions.
As boards consider how to best support their organizations on this journey, they should embrace a bold and responsible approach to these tools – minimizing risks by working with CISOs via a three-pronged approach to secure, scale, and evolve. Using this approach, board members should:
- Understand how their organization plans to deploy emerging technology.
- Work with the CISO to understand how best to leverage the power of innovative technology to achieve better cybersecurity outcomes at scale.
- Work with the CISO to stay informed on developments in this space to anticipate threats.
Can you describe the dynamic between the CIO, CTO, and CISO in partnering to drive a more defensible technology platform? How do their roles complement each other in this endeavor?
One of the biggest misbeliefs is that the CISO and CIO/CTO have conflicting priorities – in my experience, that has been far from the case. I have not met a CIO or CTO who does not feel deeply responsible for cybersecurity and, more broadly, technology and information risk management. Like an organization’s CISO, they are often also held formally accountable by the board and executive leadership.
CIOs and CTOs are invested in assuring security, but often have to balance this with an organization’s business or mission goals, and build agility into their IT organization. They rely on a successful partnership with CISOs to ensure they are successfully delivering security in an integrated, fully embedded, engineering-oriented and agile way.
How can boards more effectively engage in the strategic positioning of technology within their organizations? What questions should they be asking of their management teams?
Boards should be asking questions about technology and digital capability frequently – at least on a quarterly basis, if not more. Regular discussions with security leaders helps board members remain educated, be engaged, and stay informed on both the status of the IT modernization journey and the various threats impacting their organization.
Boards should consider asking their management team questions that bridge common misconceptions and intelligence gaps, ensuring they feel empowered to make strategic decisions on technology priorities.
Questions to consider include:
- How is the use of technology being governed within the organization? Is clear accountability assigned and is there clarity of responsibility in decision making structures?
- How well does the use of technology align with and support the overarching business strategy, such that the modernization approach can be tailored to achieve the intended outcomes?
- How is the organization’s structure and operating model evolving to both fully leverage new technology and increase the likelihood of a secure and compliant adoption?
What risks do organizations face when their security teams constantly play catch-up, and how can boards and executive leadership prevent this scenario?
Today’s threat landscape continues to grow in complexity, and combined with talent shortages, means many organizations are failing to stay ahead of cyber threats – often only being able to react and remediate following an attack. Such a reactionary approach impacts an organization’s resources, wasting time and money.
Boards should consider security implications and overall risk as part of all business decisions, and ensure continued collaboration with stakeholders to maintain relevant oversight and help guide business priorities.
As boards guide investments into new business initiatives, how can they ensure security considerations aren’t sidelined or treated as an afterthought?
It’s essential that security is incorporated into all new business initiatives. To achieve this effectively, boards should promote more in-depth collaboration between the C-suite — particularly the Chief Information Security Officer, Chief Information Officer, Chief Technology Officer, and Chief Compliance Officer—and business leaders, to incorporate better security into all products and services, rather than treating security as an afterthought.