This content is part of the Conference Coverage: 2018 MIT Sloan CIO Symposium: A SearchCIO guide

Enterprise cybersecurity strategy: What a CIO needs to know

Digital transformation is leaving businesses exposed to more cyberattacks. At the MIT Sloan CIO Symposium, panelists explain how much cybersecurity expertise is expected of CIOs.

With the global cost of cybercrime expected to reach $6 trillion by 2021 -- according to Cybersecurity Ventures -- cybersecurity can't be an afterthought for businesses. As companies continue to implement new technologies to spur their digital transformation journey, devising an enterprise cybersecurity strategy has become paramount to address new vulnerabilities.

With CIOs often driving enterprise digital transformation, how much knowledge should they have about cybersecurity? That was the question posed to panelists at the recent MIT Sloan CIO Symposium during a session titled CIO's Role in C-level Cybersecurity Leadership.

It is imperative for CIOs to have a depth of knowledge in the cybersecurity space, primarily because they play a pivotal role in their organization's digital transformation journey, according to panelist Lance Weaver, vice president of product strategy and emerging services at Equinix.

"[A CIO needs to be] able to protect those digital products -- the engagement, not just the back-end systems," Weaver, who has previously held CISO and CTO roles at GE, told the audience.

But a fundamental concern about security is rare among CIOs, according to Lev Lesokhin, executive vice president of strategy and analytics at CAST. While the role of the CIO in cybersecurity should be to own the problem, they often tend to delegate it to the CISO, he added.

CIOs need to ... have some sort of scorecard or status of the security health of the various networks and technologies they are managing, so they can see where the risks are, where the hotspots are.
Lev Lesokhinexecutive vice president of strategy and analytics, CAST

Although CIOs need to keep themselves informed about cybersecurity and know the right questions to ask, Lesokhin still believes it is unrealistic to expect that a CIO have knowledge about every area and aspect of cybersecurity.

"CIOs need to ... have some sort of scorecard or status of the security health of the various networks and technologies they are managing, so they can see where the risks are, where the hotspots are," he said.

Don Anderson, senior vice president and CIO at the Federal Reserve Bank of Boston, agreed that CIOs don't have to be cybersecurity experts, but they must have an understanding of their organization's unique cybersecurity concerns and focus on alleviating those risks.

The CIO can engage in an in-depth conversation with their CISOs to get up to speed about these cybersecurity risks and concerns, Lena Smart, managing director and global CISO at Tradeweb, suggested.

An enterprise cybersecurity strategy requires balance

Panelists agreed that while innovation is critical for businesses and involves risk-taking, companies should adopt best practices to balance this innovation with proper security processes.

When testing an idea or trying to figure out how to innovate, organizations often tend to take a long-term view rather than focusing on the more immediate risks, Equinix's Weaver said.

"You can get bogged down in the longer-term view of what that will look like at scale," he said. "If you back up, you will find there are a lot of things that you can de-risk on the front end ... and you will have much faster innovation while still maintaining the security side."

Finding that balance between security needs and business needs is a vital component of enterprise cybersecurity strategy, Smart added.

As developing an enterprise cybersecurity strategy becomes more crucial than ever, Weaver believes CIOs play a critical role in operationalizing security within the organization. 

"The CIO has a purview across the organization to ensure risk management," he said. "As we see more digital transformation occurring and more companies delivering digital products, the ability to own and integrate that fully within the company's process is very important."

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG