Delivering Successful Cyber Transformation Programs — The Eight Essentials

Accelerating cyber transformation against tightening budgets

There has never been a better time to become a CISO. Business-centric CISOs are in high demand, they are getting direct access to the board, and salaries are soaring. But this role also comes with immense pressure. Most CISOs are hired to salvage organizations from messy data breaches, address regulatory matters or simply, as a result of boards worrying their organization will be the next in the news for the wrong reasons. Amidst all this pressure, crooks keep outsmarting enterprises, unleashing new variants of stealthy malware at a phenomenal pace.

It’s therefore crucial for any new CISO to establish a high-value strategy and quickly close critical risks. Based on our in-depth collaboration with cyber leaders from dozens of countries that go through the Cyber Leadership Program, this is easier said than done. Most cyber transformation programs are delivered after four, five, or six years. In some cases, the programs fail entirely. Therefore, the question is: Why do so many organizations fail to deliver cyber transformation while others achieve significant success at a fraction of the budget? In the following section, we provide some recommendations for cyber leaders to formulate and execute high-impact cyber transformation programs.

Lock in the fundamentals.

While many vendors tout their technologies as panaceas to cybercrime, the reality is that most debilitating cyber threats exploit easily preventable flaws: aged vulnerabilities, excessive access rights, gullible workforce or servers needlessly exposed to the network. Fixing these flaws provides the highest return for security investments, but unfortunately, they are often overlooked because they don’t glitter like zero-trust networks, advanced biometrics or other bleeding edge concepts.

In our experience, leading CISOs prioritize cybersecurity fundamentals in the formative stages of the cyber transformation program. Here are six practical ways cyber leaders can quickly gather momentum and significantly reduce risk without a material impact on budget:

• Remove all unrequired direct connections to the internet, reducing the attack surface.
• Implement a vulnerability scanning and patch management regime to close all critical vulnerabilities.
• Remove unrequired third party direct access to the network.
• Enforce multi-factor authentication on high-risk applications, such as Active Directory or Office 365.
• Roll out a commercial user awareness program to establish a cyber savvy baseline and bring everyone, from the board to frontline staff, on the journey.
• Purchase a cyber incident retainer to gain immediate access to expert responders in the event of a breach.

When done right, prioritizing security fundamentals gives the CISO sufficient breathing space to carefully deliver more complex initiatives, knowing that the risk of a debilitating attack has been significantly reduced.

Define your target state.

As Jan Schreuder, COO and Co-Founder of the Cyber Leadership Institute, often says, the role of the CISO is pretty simple: tell the board what you are going to do, do it, and then tell them what you have done. Any successful cyber transformation program always starts with a clearly defined, ambitious, yet realistic roadmap. The plan has to be bold because the stakes are high. At the same time, CISOs must avoid the career-derailing mistake of promising a utopian view to the board. Engaging consulting firms and delivering glossy PowerPoint slides is easy, but delivering transformation is more challenging than often perceived. Before making any commitments, the CISO must conduct a swift assessment of potential roadblocks and find ways to mitigate the risks. CISOs can arrive at this by asking the following important questions:

• Is the organization saddled with complex legacy applications that cannot be flexibly integrated with modern security tools?
• Are there any entrenched political systems that may present formidable inertia to the transformation program?
• What additional digital transformation programs are in flight? Is there adequate access to critical IT resources?
• Do we have internal skillsets to deliver the required capabilities? If we are outsourcing, do we have vendors with proven records seamlessly delivering programs of similar complexity?

Answering these questions, listening to critical stakeholders and planning ahead will help CISOs deliver an achievable target state. In the absence of careful planning, the CISO will promise a Lamborghini and deliver a Toyota Corolla, denting their credibility with the board.

Develop a high-value cyber resilience strategy.

Fundamentally, the aim of any cyber transformation program is to address critical and high rated risks. But the days of viewing cybersecurity from the risk lens are gone. Leading CISOs take a broader view of cybersecurity and posit it as a powerful business enabler that can improve brand equity, help win new business, and maintain a license to operate. Every dollar spent in cyber transformation is diverted from competing business projects. So, it’s essential for the CISO to rigorously tie cyber initiatives to the broader WHY and business goals. Here are some practical examples:

• While acquiring a SOC 2 Type 2 certification may require substantial capex, the compliance seal will help the enterprise lower the cost of ad hoc and protracted vendor reviews and improve chances of winning high-value tenders.
• Training developers in secure coding practices reduces the likelihood of critical product recalls, engenders customer trust, and aligns with a core value of “always doing the right thing.”
• Implementing a robust cyber governance framework helps the enterprise comply with tighter prudential requirements, maintain a license to operate and reduce director personal liability.
• Migrating legacy platforms out of vendor support improves business stability, lowers maintenance costs, and closes critical vulnerabilities.
• Implementing a data loss prevention solution reduces the likelihood of intellectual property theft, protecting competitive position.

Obviously, there are several cybersecurity initiatives whose purpose is to solely reduce risk, but thinking beyond risk helps enlist stakeholder support, fosters accountability, and ensures the cyber transformation program is prioritized against other changes across the business.

Tightly linking cyber risk to corporate objectives requires an in-depth understanding of business operations, value chain, strategic priorities, risk appetite, and regulatory environment. It also requires CISOs to be provocative storytellers to persuade the board and executive management to take action.

Establish cross-functional governance and control of the program.

Cyber transformation impacts all business areas, so it is important to obtain buy-in and support from the key stakeholders across all business units. A cross-functional cyber transformation program steering committee will provide visibility into cyber transformation program decisions. The committee also sends an unequivocal message that cyber resilience anchors the enterprise mission. The program steering committee ratifies all key decisions, ensures program funds are allocated to areas of the highest risk, and approves crucial changes in scope.

To be effective, the steering committee must have senior representation from all major business units impacted by the transformation as well as key functions such as legal, risk management, technology, procurement, and finance. These senior representatives can also act as ambassadors, helping warm up their business units to imminent change, promoting buy-in, and overcoming resistance. In cases where most of these initiatives are outsourced, the program must establish a joint steering committee, pushing accountability to senior vendor management. A business-wide steering committee also fosters accountability and ownership, as senior executives feel they have significant skin in the game.

While the CISO remains accountable for the program, they must maintain a careful balance between keeping distance and staying deeply engaged. Leading CISOs hire experienced and dedicated cyber transformation program managers to manage all aspects of program delivery, including; scope definition, resource planning, progress measurement, benefits realization, cost tracking, and issue resolution — freeing up time for the cybersecurity team to focus on other value-adding and risk-reducing activities. The program manager must be empowered to make critical decisions and not relegated to administration and scheduling tasks.

Carefully prioritize initiatives.

The CISO must carefully prioritize initiatives to gain momentum, establish credibility, and close critical business risks. We provide four important considerations below:

1. Move high-impact and low cost/low complexity initiatives to Phase One of the program. This will get the ball rolling, garner business support, fast track capabilities, and reduce cyber risk. Similarly, the program must assess any critical dependencies or synergies and group initiatives accordingly. For example, the CISO must reduce the attack surface (removing needless internet exposure and decommissioning unrequired legacy platforms) before determining the scope of the penetration test exercise. Doing this reduces the cost of assurance and lowers organizational risks. Similarly, it’s imprudent for the enterprise to schedule red teaming exercises in Phase One when the organization hasn’t deployed 24/7 monitoring capabilities or matured its vulnerability assessment and patch management regime.
2. Certain high impact initiatives — such as mobile device management, encrypting data at rest, segmenting the network, or implementing data loss prevention — must be prioritized with due care as they can prove much more complex during execution phases than they seem on paper. For example, when employees unexpectedly push back on attempts to roll out mobile device management on their personal phones, fearing privacy concerns, the entire roadmap can be thrown into rough waters.
3. Any CISO hired to salvage a business following a data breach, a serious cyber incident that impacted customer service delivery, or a regulatory undertaking must prioritize the remediation activities that help the business regain customer trust.
4. It’s vital for the CISO to extensively consult with the key stakeholders — such as the board, CEO, CRO and product development team — and factor their priorities into the road map. For instance, the CFO may be concerned about an imminent insurance renewal, while the CRO is worried about a lax cyber assurance program. The CISO should never assume they know what’s important to stakeholders; they must constantly engage and actively listen.

Split the projects into short term outcomes, delivering incremental business benefits with agility.

Delivering project outcomes in smaller increments through the program’s lifecycle ensures outcomes and benefits are delivered regularly and quickly. This provides a demonstrable value of the program to stakeholders on a regular basis. Delivering with agility means the program can flex and adapt, as is necessary with a changing threat landscape.

Once the program commences, frequently and clearly communicate progress to senior management. Masking program delays, cost overruns, and other critical risks only worsen the problem and badly harms the CISO’s credibility.

Plan for the people and process change and impact assessment.

One factor often overlooked is the impact of change on the organization, and all too often, projects just focus on planning to get the technical bits right. Complex initiatives require a dedicated change manager who can work closely with the technical teams to identify pain points the new solution will introduce, anticipate cultural resistance challenges, and implement a raft of measures to smooth over the change.

Set aside some scoping and planning time to understand how the solution will fit your organization’s processes and existing technology. The solution you deliver will only be as effective as the people and processes around it that support its implementation. Communicating any cyber transformation change in advance and bringing people on the journey will be essential to the program’s success. To be effective, change management must include a combination of opt-in end-user briefing sessions, emails from senior executives explaining why change is required, clearly documented frequently asked questions and drive-by end-user support kiosks. Most importantly, change messages must be contextualized with a more intense focus on communities that will suffer the most impact.

Mature your program.

The program’s final phase focuses on maturing your program, optimizing what you have implemented, and measuring the program’s success. Delivering a new cybersecurity solution is only part of the journey. There is no point in spending millions on new capabilities if no one uses them. Once your cyber transformation program has delivered a new cybersecurity solution or the cybersecurity change you are implementing has been put into production, you need to fully operationalize the change to optimize and continuously increase the value delivered.

Long before a program workstream is closed, and victory is declared, the program team should ensure that easy-to-comprehend training guides are developed, and relevant administration teams are adequately trained. Manuals, guides, and standard operating procedures (SOPs) should be written in plain language — if they resemble hard-to-read flat-pack furniture assembly manuals, system administrators and users will simply trash them and revert to their familiar routines.

Operational handover checklists should be used to sign off critical controls such as integrating new systems into the security operations center, updating the asset inventory, server hardening, and user training prior to going live. Additionally, all new cybersecurity tools should be validated against agreed low-level design documentation to ensure they are configured according to good practice or vendor recommendations.

The program team must routinely revalidate the objectives of their initiatives to ensure that they are still fit for purpose, prioritized in accordance with risk appetite, and aligned to the business objectives. Projects deemed near obsolete, no longer aligned with enterprise goals, or premised on wrong assumptions must be terminated or deferred appropriately. Sadly, many enterprises keep throwing money into long-running cybersecurity projects despite mounting evidence that the project is doomed.

As the transformation program matures and transitions through different phases, key stakeholders move to other roles, and project teams get reshuffled. Therefore, it is important for the CISO to revisit the messages and reaffirm the WHY behind the strategy and overall strategic objectives, which often fades with time. Leading cyber transformation program teams maintain two-way communication channels — communicating their key wins to senior management while at the same time actively soliciting invaluable feedback from key stakeholders through surveys or one-to-one meetings.

Five essential disciplines to ensure success.

There is an ever-growing need for CISOs to transform beyond technology-centric executives into trusted transformation agents. This requires striking the fragile balance between speed and stability. Every significant transformation is fraught with uncertainty, and cyber transformation is no exception. In our experience, CISOs who have succeeded in accelerating cyber resilience did so by mastering five essential disciplines:

1. Using strong persuasion skills to get the most influential stakeholders invested in the mission from the start,

2. Resisting the urge to rush into execution and creating a clear-cut roadmap based on a cyber resilience strategy prioritized to deliver the highest business value,

3. Anticipating major pitfalls early and implementing measures to limit their likelihood and impact,

4. Regularly revisiting the transformation program and flexibly adapting it to internal and external changes, and

5. Using powerful storytelling techniques to constantly reaffirm their WHY and rally the whole organization behind the mission.

In the end, success depends less on technical tools but on winning hearts and minds.