How CIOs and CISOs Can Power the Business Ecosystem Through Secure Access

The trends in cybersecurity are rapidly shifting from "trust but verify" models to ones that assume that every activity is insecure until proven otherwise. In an age of high-profile security attacks and complex business ecosystems, sophisticated phishing schemes are prolific. Organisations of all shapes and sizes are seeking new ways to protect their finances, reputations, and business operations. 

With ‘digital’ being integrated in many areas of the value chain for organisations, cyber risk is no longer limited to the IT organisation. How can CIOs and CISOs manage risk holistically across the business? CIOs and CISOs from our France community gathered recently to discuss how to enable the business while mitigating risk. 

Bevan Boote, Regional Director, SASE at Aruba, moderated the discussion, and Evanta Governing Body Members Sébastien Carriere, Head of Technology and Group CISO at Louis Dreyfus Company and Michel Tournier, IT Operating Partner and Digital Director at Wendel, contributed as panellists.

The panellists set up the discussion by noting that CIOs and CISOs today wear two hats – focusing on broad business priorities and their functional priorities. As they enable new and innovative technologies, it increases the risk to the organisation. The executives shared how security teams increasingly have to balance the speed with which the business wants to move with the implementation of appropriate defences. 

The discussion covered three topic areas: 

1. Enabling the business while protecting the ecosystem.

CIOs and CISOs confirmed that cyber security is a top priority and discussed some of their areas of focus. Executives remarked that it is critical to work as an ecosystem and secure the supply chain. In fact, supply chain security was a challenge for many, with some noting that it takes a lot of time and resources, and some questioning the value of sending questionnaires to their suppliers. Security leaders commented about having questionnaire fatigue, and others noted that it’s challenging to move from questionnaires and assessments to more meaningful improvements to operational security. 

An additional area of concern for CIOs and CISOs is the end user, which is a common way for attackers to enter the ecosystem. End users can be less mature in their security awareness, and one executive said they experience more automated attacks aimed at the end user. Another CISO shared that security education is an ongoing challenge and that it’s “easier to improve machines than mindsets.” They can approach this with self-assessments and other tactics, but added that the strategy is ever-evolving, much like the threats. 

Other security concerns raised in the discussion included automated attacks, in which it is harder to contain the volume, and sophisticated attacks, in which hackers use generative AI to leverage accurate data and information in phishing emails, making them harder to detect.
 

1. Implementing state of the art security concepts like zero trust and SASE.

Executives discussed how complex it is even for good models like zero trust and SASE to encompass the full security landscape. They shared that their ecosystems are so complicated that it makes implementation of these security models challenging. CIOs and CISOs also do not want to add too many layers or constraints for their users. However, they still believe that adopting zero trust and SASE are “the north star.” 

The CIOs and CISOs also talked about the areas they are most concerned about from a security perspective, including the OT environment, industrial components, and third-party suppliers. They discussed the pros and cons of eliminating VPN, as well.
 

1. Communicating risk effectively across the business.

The panellists noted that cybersecurity and operational risks are top of mind for board members currently. One challenge for executives is articulating risk appropriately to board members and other non-tech stakeholders. They want to educate them without scaring them, and some executives suggested tactics like phishing or crisis simulations. 

Executives believe there is a difference between stakeholders who have not experienced cyber attacks and those who have, with the former possibly underestimating how damaging they can be, and the latter perhaps being overly risk averse. Another executive shared that it’s important to convey to board members that “ultimately, we cannot provide zero risk.”

Other suggestions from the discussion included establishing a mutual understanding of risk and enabling others to make risk-educated or risk-conscious decisions.

As one CIO said in summary, “There are two types of CIOs – those that have been hacked and know it, and those who have been hacked and don’t know it.” Risk is inevitable for organisations today, and CIOs and CISOs are mitigating risk in multiple ways by considering the security of their holistic ecosystem, educating their stakeholders, and employing state of the art security models where possible.

IT and security leaders can continue the discussion on cybersecurity strategies and more at the upcoming France Executive Summit for CIOs and CISOs on 5 December. In addition, the France Community has another upcoming Town Hall for CIOs and CISOs on 16 November. Or, explore an Evanta CIO or CISO Community near you, and apply to join a community of your peers.