CISOs have to change their approach to cybersecurity, say experts

CISOs can’t be blamed for feeling under siege: Every day there are news reports of another data breach around the world — and that’s the public tip of the iceberg. Behind closed doors they get reports from staff about suspicious network behavior that may or may not be an attack.

Small wonder they feel helpless. But a trio of security experts for the McKinsey consultancy says infosec leaders are going about security the wrong way.

Tucker Bailey and James M. Kaplan, and Chris Rezek recently released a new book, Beyond Cybersecurity: Protecting Your Digital Business, that CISOs worry too much about trying to protect the organization and comply with regulations rather than integrate security into business operations.

“As a result, they get the wrong answer about how to construct a cybersecurity program,” the authors say in a condensed blog of their book.

Their answer is what they call is to build digital resiliency: Design applications, business processes, technology architectures and cybersecurity defenses to include protecting critical information assets. That way, they say, CISOs will get a bigger bang for their bucks.

Briefly, they say it will take six steps to get there:

–Start by identifying all risks to data. “Effective cybercapability assessments not only address existing protocols, personnel, and tools but also governance, controls, the security architecture, and delivery systems,” they say;

— Target three types of mechanisms to step up the security of their information assets: business-process controls, broader IT controls and cybersecurity controls (such as encryption);

— Work out how best to deliver the new cybersecurity system;

— Establish your risk–resource trade-offs, then present a plan with options to management for risk reduction and resource commitments;

–Once the organization has defined its risk profile, develop an integrated security plan that aligns business and technology;

–Ensure sustained engagement in the program from the top.

“Senior, cross-functional oversight is essential to avoid a mere patchwork of compromises that will undermine digital resilience,” write the authors. “Given the stakes, nothing else will do.”

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web