filo/DigitalVision Vectors via G
4 steps CISOs can take to raise trust in their business
When CISOs align their investments with CIOs' tech investments, both can fuel business success and enable greater trust with customers, employees and partners.
A clear trend is emerging in today's volatile business environment: Highly trusted organizations have greater growth potential. Another clear trend: CISOs are key to building this trust and must align their tech investments with those of CIOs to achieve trust.
Forrester found that customers who trust a company are more likely to make repeat purchases, prefer the company to competitors, try other products and services, and share their personal information with the company. By contrast, an organization that experiences a data breach loses customer trust and decreases its revenue potential.
According to a recent Forrester survey, when seeing news of a data breach exposing customers' personal information, 25% of U.S. online adults said they stop doing business with the company temporarily, and 22% said they stop doing business with that company permanently.
It's no surprise, then, that CISOs play outsized roles in building a trusted business. To successfully build trust, CISOs must work in lockstep with the CIO and the technology team, a challenging proposition considering 72% of CISOs currently report to a department outside of IT, according to a 2023 Forrester security survey. While the CIO follows the principles of high-performance IT to continuously improve business results, the CISO must layer on relevant security initiatives that align with business and technology goals.
To achieve cross-functional alignment with IT and fuel business growth, CISOs can take one or more of the following four steps.
1. Implement zero trust to stabilize, operate and protect the business
When the IT organization prioritizes operational activities, such as efficiency, cost reduction and performance, it is focused on solidifying the core and delivering consistently. This is the time for the CISO to emphasize core zero-trust principles, starting with data and identity, that embed security into IT and build out a consistent security experience.
Invest in data security basics, including discovery, inventory and classification, to know enough about the data to protect it appropriately throughout its lifecycle. At the same time, streamline the identity management program with single sign-on to decrease the attack surface and MFA to reduce the risk of account takeovers. Use the principle of least privilege to limit account access and reduce the likelihood of attacker lateral movement.
2. Level up security programs to develop, deliver and operate new products and platforms
In some organizations, the business strategy emphasizes growth through new lines of business. IT supports these growth goals by building new products and platforms, often using modern architectures and development methodologies, and frequently collaborating with partners. The CISO must make sure security is well positioned to support these new architectures and partnerships.
For example, if the IT organization has started to use APIs, containers or microservices to bring new products to market, train the security team on these technologies, and invest in corresponding security tools to scan, monitor and protect these components. When protecting new products, the CISO must consider the entire ecosystem. This means securing the software supply chain and taking a close look at vendor and partner relationships to ensure they do not offer an easy way in for attackers.
3. Automate and scale security to streamline processes and optimize business outcomes
IT organizations that are focused on streamlining and optimizing invest in technologies that help teams do more with less, such as automation, AI and analytics. If security doesn't make a corresponding investment, either security processes slow down product releases, frustrating customers waiting for new products or features, or IT bypasses security in the name of getting to market on time, risking breaches that damage customer trust.
CISOs must target their investments to "shift everywhere" and integrate automated security scans and stage gates throughout the development pipeline so they can match the IT organization's desired scale. Use the stage gate requirements to drive a broader conversation about governance. As IT adds more automation, it relies on less security-savvy citizen developers to build apps. Support and protect IT's ambitions by defining and implementing guardrails around data usage and access controls.
4. Adopt emerging tech securely to drive business goals
Some IT organizations focus heavily on adopting emerging technologies to transform the business. If this sounds familiar, turn the security team's attention toward securing these new technologies, and pay close attention to how these technologies use data. Emerging tech, such as AI and IoT, pushes IT to use customer data in new ways -- for example, to create new models, improve customer engagement or introduce new partnership opportunities.
To support the business, security must enable expanded data use, while still protecting customer privacy. That means investing in emerging security technology, such as privacy-preserving tech (PPT). PPTs help enable multiparty data sharing, internal data sharing and analytics, data sovereignty, data monetization, cloud migration and generative AI training. In parallel, don't overlook the opportunity to apply emerging technologies to security use cases. While IT uses technologies like generative AI to transform the business, security can use those same technologies to create transformational security tools.
To successfully build trust, CISOs must understand how IT aligns with the business strategy and then take the steps necessary to align security with IT. These four steps are not sequential. Choose only those steps that make sense in the context of business and IT goals. By staying in lockstep with IT, the CISO ensures security is focused on activities that improve customer trust and drive growth.
About the author
Sandy Carielli is principal analyst at Forrester, advising security and risk professionals on application and product security, with a particular emphasis on the collaboration among security and risk, product management, application development, operations and business teams. Her research explores such topics as designing proactive security, protecting modern and emerging application architectures, protecting applications in production environments and embedding security throughout the product lifecycle. Carielli has more than 15 years of experience in the security industry and is a graduate of both Brown University and MIT Sloan School of Management.
