Interview: Martin Tyley Explains How CISOs Can Step Up to a C-suite Role

The expanded cyber-threat landscape since COVID-19 has been highlighted by numerous studies over the past 18 months or so. For example, just this week, Deloitte’s 2021 Future of Cyber Survey found that 98% of US-based organizations experienced at least one cyber event in the past year, while 86% of US firms experienced a higher rate of cyber-threats due to COVID-19.

It is clear that cybersecurity is more important than ever to an organization's overall success and health. Therefore, securing more influence and funding within a business is crucial, and this is where security leaders, particularly CISOs, need to come into their own. Infosecurity recently caught up with Martin Tyley, partner and head of UK Cyber at KPMG, to ask about the changing status of CISOs and how they can work more closely with board members.

Has the status and influence of CISOs within organizations grown since the start of the COVID-19 pandemic? If so, how has this manifested?

Compared with two years ago, cybersecurity is a far more frequently discussed topic in the boardroom. In the KPMG 2021 CEO Outlook Pulse Survey, cyber risk was ranked as the number one organizational threat by global CEOs, with data security taking priority above any other investment.

As companies flocked to digital technology in their droves to ensure the continuation of their operations at the beginning of the pandemic, the CISO’s status immediately stepped up a notch. Suddenly, every business decision had to factor in cybersecurity, and CISOs found themselves involved with business-critical issues that they hadn’t dealt with before, such as robust supply chains, product security, resilient operations and brand trust.

Once viewed as a mainly technical role, CISOs have been catapulted to the role of organizations’ risk advisors, responsible for embedding a cyber-conscious culture and advising the leadership team on the cyber implications of strategic decisions. However, while their status has skyrocketed, their influence has always kept pace. When COVID-19 hit, most CISOs didn’t necessarily have the strong relationships at the board level to get their messages across to ensure the appropriate security measures were in place. Unfortunately, in some cases, this still rings true.

Martin Tyley, partner and head of UK cyber at KPMG
Martin Tyley, partner and head of UK cyber at KPMG

How do you advise CISOs effectively communicate the cyber-threats facing the organization to the CEO and board members?

CISOs should leave technical speak at the door and talk to the board in a business language they can fully understand. Boards need to know how the cyber threat landscape relates to customers, employees, profits and the organization’s reputation. That said, improving communication with the board goes far beyond speaking in layman’s terms. Instead of talking at the board, engage them in activities that simulate what would happen in the event of a cyber-attack. We have repeatedly seen that when a theoretical threat is turned into a business crisis, it has a massive impact on boards. The result is a deeper understanding and a greater sense of confidence that risk is being properly managed. In addition, boards recognize that the organization’s operational goals are not being prevented through over-control or put at risk with significant control gaps being exposed.

How can CISOs effectively make the case for extra cybersecurity funding from the board?

Boards up and down the country are increasingly aware of the damage a cyber-attack can cause. The impact of cyber incidents is increasingly broad, ranging from direct fraud to the loss of operations because of a ransomware attack, through to fines from a regulator if the organization cannot demonstrate they took the proper steps to protect their networks. All of these can put pressure on an organization’s reputation and erode trust with stakeholders – from customers to employees. Yet, despite this, security teams don’t always get the funding they need.

Most boards and businesses have cases for investment that far outstrip the funding available, so to succeed, cyber teams must speak in the same language as the rest of the business, starting with the numbers. Explaining how much an incident could cost, how likely it is to happen and where the biggest bang for their buck is in plugging that gap (and supporting this with data) gives boards the correct information to make an informed decision.  

"Cyber teams must speak in the same language as the rest of the business, starting with the numbers"

While it may seem as straightforward as highlighting these attacks to prove the importance of increased investment, it is not all about fear – there are other objectives to bear in mind as well. Rapid digital transformation is high on businesses’ agendas, but factoring in cybersecurity to digitization can easily be seen as holding things back and a barrier to progress. Yet, effective cybersecurity controls sensitive to the needs of the business are anything but a barrier. By incorporating cyber into the business planning process, organizations will experience fewer ‘regret costs’ further down the line, less remediation and lower overall costs. As businesses continue to expand and ask questions such as, “can we open up in new markets?” or “can we offer our product direct to the consumer?”, with the right security measures in place, they can be answered much faster and with greater confidence. This is because the organization will understand the cyber risks of today and tomorrow and has put in place the digital building blocks to enable that agility. This is the vision, but it can’t be achieved overnight – CISOs will have to put in the effort to have these conversations over time to realize these changes.

Overall, do you believe the role and skills required of CISOs have evolved during the pandemic?

Without a doubt. Because of their newly elevated role, we have seen CISOs building new skillsets and a different mindset to concentrate less on security and compliance as standalone issues and instead consider the broader risks and opportunities facing their organization.

With wider responsibilities, they have also had to understand how to work with the other various functions within their organization. Knowing how each department operates makes it easier to envisage the obstacles cybersecurity might create across the business and how it can be used as an enabler to improve how each function works. As part of this, CISOs are acquiring the ‘soft’ skills required to establish and build relationships and influence behavior as their role becomes increasingly significant.

By forging relationships with multiple stakeholders, it will be easier to educate other functions about the business risks and threats facing them on a personal level – effectively turning from ‘enforcer’ to ‘influencer.’

What’s Hot on Infosecurity Magazine?