Posted: 06 May 2020 5 min. read

Adapting your cybersecurity organization for the future: Insights for the modern CISO

Posted by Elaine Loo and John Gelinne on May 6, 2020.

As the world becomes increasingly interconnected, cyber is getting bigger, and it’s moving in multiple dimensions across multiple disciplines—beyond an organization’s walls and IT environments and into the products it creates, the factories where it makes them, the spaces where its employees conceive them, and where its customers use them. Cyber is at the center of digital transformation.

Understanding that is as transformative as cyber itself—and to be successful in this new era, organizations should embrace a “cyber everywhere” reality. In this new reality, organizations are faced with constant pressure to continuously adapt in response to this Fourth Industrial Revolution and tightening labor markets. A pervasive challenge cross-industry remains the cybersecurity workforce gap, due to a massive increase in attacks, rapidly advancing technologies, and short-life of skills. In Deloitte’s 2019 Future of Cyber Survey, 95 percent of C-level executives surveyed confirmed cyberattacks were perpetrated against their organizations; nearly two-thirds reported these attacks had occurred within the past 24 months; there is no indication that this trend will slow over time.1

When this increased complexity and constant change of technology are coupled with talent gaps within cybersecurity organizations, CISOs are repeatedly challenged to find new ways to source and leverage talent.

Doing even more with even less

There is a growing gap in cyber talent in the market today. Deloitte’s 2019 Future of Cyber Survey estimated that there may be as many as 3.5 million unfilled cybersecurity positions worldwide by 2021. We are all familiar with the challenges around the high demand for resources and the lack of qualified resources, but even if you have a fully staffed function you may find gaps as existing technical skills become obsolete.

According to a study published from (ISC),2 US businesses would need to grow their cybersecurity workforce by 62 percent to match existing demands.2 From a global perspective, the cybersecurity workforce needs to grow by 145 percent to match today’s demands.2

Since it is impractical and unsustainable to continually take people away from work for long periods of training or replace them with people who have more relevant skills, CISOs must reduce the burden on—and unlock additional potential from—their existing workforce. Building an adaptable cybersecurity organization powered by high-functioning cybersecurity teams allows everyone in the function to help solve emergent problems and build new skills—while simultaneously allowing CISOs to adapt to their dynamic reality without having to constantly switch out talent.

The adaptable cybersecurity organization

As one of the leading and largest cybersecurity risk advisory and Human Capital practices globally, it is our point of view that the modern cybersecurity function should be adaptable and efficient to adequately respond to increasing external threats and a growing talent gap from relationships with third parties to individuals performing the work. Adaptable cybersecurity organizations can help enable even large-scale global organizations to function with the agility of a startup.

The adaptable cybersecurity organization comprises five layers:

  • The ecosystem—how the work environment operates
  • The organization—how work is organized
  • The team—how work is delivered
  • The leader—how work is managed and led
  • The individual—how work is executed

In the context of “cyber everywhere”, it is important to embrace automation. Artificial intelligence (AI) and machine learning can enhance business efficiencies and permit today’s cyber workforce to proactively (and rapidly) address sophisticated cyber threats.

The ecosystem

External providers can take on more routine tasks (e.g., monitoring) and free up internal talent to focus on risk management and strategic priorities. The right vendors can also serve as a trusted, continuous pool of specialized talent, such as cyber forensic and incident response, that will partner with you when you have unpredictable security and expanded capacity needs. These partners provide an opportunity to drive improvement and efficiency, bringing the latest external thinking, capabilities, and insights into an organization’s cybersecurity function. This external view can help cybersecurity employees better understand emerging cyber trends and apply outside learnings to implement new technologies. These partnerships may be the first step CISOs need to keep their employees aware of the latest technology, tactics, techniques, and procedures. Nearly every cybersecurity organization engages with external partners, vendors, and service providers, but in a limited capacity. These partners can do more than provide services and technology. They can support the CISO and help bridge the gap in both skillset and capacity.

Reflection checkpoint: Questions a CISO can ask when focusing on the ecosystem

Why do we have an ecosystem of partners? What is the holistic value we receive? How could our partners work better together? Are we picking vendors that provide ecosystem value and not just solution value? How is the organization positioned to respond to threats within the ecosystem? Does our response plan account for the ecosystem? Are we learning from them?

The organization

In addition to a complex external ecosystem, the CISO’s organization exists in a unique internal environment. The cybersecurity organization may reside within operations, IT, risk management, or even physical security. Understanding which capabilities rest within the cybersecurity organization and which ones should be owned by other functions is a critical decision and feeds into an overall cybersecurity workforce strategy.

For example, training capabilities within HR can be used to support cyber awareness and compliance, and internal communications groups can support broad cybersecurity culture and awareness programs. By considering what work should be done within the CISO’s span of control and what could be dispersed and executed by multi-disciplinary teams, cybersecurity employees can focus on their core work and enhanced value.

Reflection checkpoint: Questions a CISO can ask when focusing on the organization

How can we embrace multidisciplinary approaches to cyber risk management vs the traditional hierarchical approach? Are there capability redundancies with other functions? How will we keep other functions accountable to successfully govern and drive this work forward? How do we maintain segregation of duties?

The team

Much of today’s work in the modern office environment is accomplished by teams of functional experts working together to create solutions. However, there are instances when the cybersecurity team may feel the need to closely guard security operations (e.g., incidents, breaches, and response approach), driving them to work solely within their own team. When CISOs encourage their team to work cross-functionally to proactively address threats, the burden on their talent is reduced while concurrently facilitating effective integration between cybersecurity and other parts of the organization (e.g., legal, operations, finance, and HR).

One clear example of collaboration between cybersecurity professionals and outside departments is DevOps. Done correctly, DevOps keeps cybersecurity in mind from the beginning, providing the interconnectedness and guidelines required to develop applications securely among departments that are often separated into an organization’s structure.This approach “shifts security left” in software development lifecycles and prevents unfavorable downstream impacts.

Interdisciplinary teams can also be useful in responding to security events. As part of an incident response, cross-functional teams that include groups like internal communications, crisis communications, IT, business, and legal are equipped to provide a more comprehensive and agile response. This team approach allows cybersecurity professionals to maintain a laser focus on their component of the response process. Beyond this, it is essential to expand your definition of “team” to the entire enterprise. All employees should have a sense of being part of the cyber team, understanding and internalizing their role in security across the organization. You can accomplish this through a broad-reaching cyberculture engagement campaign.

Reflection checkpoint: Questions a CISO can ask when focusing on the team

Where can we be more cross-functional? Are we embedded in other organization-wide teams where applicable (e.g., crisis comms)? What ability do our people have to self-organize? When assigning a cybersecurity person to a team, are we considering a risk-based approach? Are we setting these teams up for success?

The leader

As organizations pivot and adapt to the shifting cyber landscape, the adaptability of their leaders becomes even more essential. Effective leaders must be savvy enough to energize, orchestrate, and connect people across their ecosystem. Cultivating leaders with these traits can be daunting, particularly across highly technical functions. But this leadership challenge transcends industry, disciplines, and functions: In Deloitte’s 2019 Global Human Capital Trends survey, 80 percent of respondents felt leadership was a high priority for their organization. Of those respondents, only 41 percent felt their organization was ready or very ready to meet its leadership requirements.4

Developing your future cybersecurity leaders requires an intentional approach today. Putting mechanisms in place now to promote managers with existing, essentially human skills while also rewarding strong technical skills can help build your leadership pipeline. Cyber organizations should create multiple paths to leadership that promote people with high technical competence as well as those with naturally refined human skills (e.g., communications, business acumen, innate leadership). Future leaders should be given the training and coaching to be successful—throughout their career—so that they are equipped with the blended skill set necessary to succeed once they step into their leadership roles.

Organizations should also recognize that not all professionals seek out leadership promotions; paving a path for those with strong technical skills allows for specialization and an individual contributor role that is rewarding without sacrificing career advancement.

Reflection checkpoint: Questions a CISO can ask when focusing on the leader

Are we promoting natural people leaders or technical experts? Do people feel that the work they do makes a difference? Are our leaders bringing together people across the organization or giving direction to the resources below them? Is executive leadership aligned?

The individual

The final layer of the adaptable cybersecurity organization is the individual. As we discussed, individuals will need to adapt to new threats, technologies, and even business priorities, and not all of them want to advance their careers in the traditional sense. This can be a frustrating experience that drives turnover, unless the cybersecurity organization centers on innovative ways to retain personnel such as building in adaptability through continuous learning, career flexibility, and focusing on people rather than the job. In the adaptable cybersecurity organization, employees should be thought-resilient and change-ready.

CISOs should also explore how to develop talent through internal mobility, to help bridge existing talent gaps in their cybersecurity function and to enhance the overall employee experience.5 By leveraging internal talent, organizations can improve on-the-job learning in entry-level roles and source talent from non-cyber backgrounds; both are strategies to expand the pool of possible candidates.6 Organizations should source candidates with fundamental capabilities in analytics, problem-solving, adaptability to change, creativity, and effective communications.7 This, in turn, enhances the employee experience by giving them opportunities to learn and grow in areas they may not have been able to explore otherwise.

Taking advantage of technology such as automation and AI may help lessen the burden on humans and allow for new “digital FTEs” to process routine tasks and duties that don’t necessarily require human problem-solving abilities. A cybersecurity organization facing talent gaps can leverage technology to augment human talent and address essential needs.8 The adaptable cybersecurity organization should leverage automation such as AI and machine learning to turn common data inputs into algorithms, thus accelerating all five levels—from the ecosystem to the individual.

By implementing intelligence-based prioritization of those algorithms, digital FTEs are “employed,” and the organization is incorporating a new aspect to operational activities—confidence invalidity. This suggests that highest-priority alerts with the highest degrees of confidence get immediate attention by the Individual. User-interface integrations with AI lessen the risk of human error by reducing the need for operations personnel to triage incidents using numerous monitors and operating systems. Additionally, situational awareness and data visualization is enhanced, correlating data occurs in real-time, and responses are streamlined to true-positive alarms—all benefits that can drive quicker and more efficient response times. What results is an automated and accelerated Adaptable Cybersecurity Organization.

Reflection checkpoint: Questions a CISO can ask when focusing on the individual

Am I staffing my organization with people who perform the tasks of today or for continuous risk management? How can I use technologies like Robotic Process Automation and Artificial Intelligence to help me reduce risk?

Conclusion

The accelerating pace of change in cyber threats and technology—along with continuous resource challenges—requires a different outlook on your cybersecurity organization. While there is no “one-size-fits-all” organizational structure, there are discrete ways to make intentional changes to your structure and explore talent pools that enable adaptability and efficiency to improve your cyber posture and organizational appeal.

For additional insight on adaptable organizations please see our report, The Adaptable Organization: Harnessing a networked enterprise of human resilience.
 

Authors

Elaine Loo is a principal for Human Capital at Deloitte Consulting LLP.

John Gelinne is a managing director for Cyber Risk Services at Deloitte & Touche LLP. 

Contributing authors:

  • Don Miller, US Organizational Design Analytics leader, and managing director
  • Tiffany McDowell, Organizational Strategy, Design & Transition Market Offering leader, and principal
  • Tara Mahoutchian, Cyber Workforce Solutions, senior manager
  • Andrea Koehler-LeStarge, Cyber Risk Services, senior manager
  • Sanjay Purohit, Cyber Workforce Solutions, senior manager
  • AJ Righter, Deloitte Consulting LLP, manager
  • Jerry Peruchini, Deloitte Consulting LLP, senior consultant
  • Brian Hum, Deloitte Consulting LLP, consultant
  • Christine Goglia, Deloitte Consulting LLP, consultant

 

Endnotes

Deloitte, The future of cyber survey 2019, p. 27
2 (ISC)2, 2019 Cybersecurity Workforce Study, p. 8
3 Deloitte, The future of cyber 2019, p.17
4 Deloitte, 2019 Deloitte global human capital trends: Leadership for the 21st century, p. 39
5 Deloitte, 2019 Deloitte global human capital trends: Talent mobility: Winning the war on the home front.
Brian NeSmith, “The Cybersecurity Talent Gap Is An Industry Crisis,” Forbes, August 9, 2018, https://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-cybersecurity-talent-gap-is-an-industry-crisis/#687ea415a6b3, accessed May 31, 2019.
7 Deloitte, The changing faces of cybersecurity-closing the cyber risk gap, p.19
8 Deloitte, Augment security: How cognitive technologies can address the cyber workforce shortage, p.5

Join the conversation

Get in touch

John Gelinne

John Gelinne

Managing Director | Deloitte & Touche LLP

John, a managing director at Deloitte & Touche LLP, is a part of the Cyber Risk Services Strategy practice of Deloitte Risk & Financial Advisory. He helps clients prepare for, respond to, and recover from cyber incidents, and is responsible for Deloitte’s commercial cyber risk quantification, cyber wargaming, and technical resilience services that enable organizations to plan, adapt, and respond to dynamic changes, disruptions, or threats. John joined Deloitte after retiring from the US Navy. In the Navy, he held afloat command at various levels. He served on the Joint Staff, Office of the Chief Information Officer (CIO), where he was responsible for the continuity of information technology operations for the National Military Command Center prior to and during the 9/11 attack on the Pentagon. John’s last tour in the Navy was Chief of Staff, Fleet Cyber Command/10th Fleet, where he was third in command of the Navy’s cyber operations. John has been published in US Naval Institute Proceedings, Deloitte Review, Dark Reading and the Wall Street Journal’s CIO and CFO Journals on topics ranging from building resilience to cyber risk quantification. He was co-author of Deloitte’s “Beneath the surface of a cyberattack,” a study that describes the hidden costs associated with a cyber breach. John also recently co-authored an update to this original study “Beneath the surface of a cyberattack: Collision avoidance,” where he describes the business application of cyber risk quantification to mitigate cyber risk. John holds advanced degrees in Information Systems Management and National Security and has an undergraduate degree in Engineering from the United States Naval Academy.