The CGI Global 1000 outlook brings together findings and insights drawn from in-person conversations with 1,000 senior business and technology leaders. In this blogpost and several others planned for the near future, we will share some specific cybersecurity insights from these conversations.
One of the main strategic findings is that the leaders interviewed indicated a key shift in position for cybersecurity: it has made the leap from a technical issue to a top IT and business priority. It also is now an enterprise-wide concern, where barriers to progress encompass people, process and policy—as well as technology.
While the vast majority of leaders interviewed said they have a cyber program in place, they are at various stages of maturity. In some industries, the high cost of security compliance is limiting investments in digital transformation. In others, cybersecurity is starting to become an enabler of new digital value propositions that have security “baked in.”
The required path to greater maturity is moving from viewing security only as mandatory to running the business, to also viewing it as a key enabler of change and growth. Only 14% of leaders interviewed said they are at a level of maturity where cybersecurity is part of their value proposition. But the bar for maintaining a strong cybersecurity posture is rising constantly and the majority of organizations just do not have enough internal resources or skills to keep up. As a result, they should look to move some basic operational security functions to trusted third parties.
Following IT’s path to a seat at the table
Information technology has been part of boardroom conversations for many years and is considered essential to how business is done. For cybersecurity, however, discussions about enabling the business is a much bigger leap. As cybersecurity practices mature, they must move up the internal value chain to get the attention and raise the awareness of executive decision makers.
When starting a new business process or creating a new revenue stream, at what stage does your organization talk with the security team? Addressing the advanced threats of tomorrow requires that security be “baked in” to new applications and devices. This means that security needs a seat at the table from the start. But first, security teams need to understand the business and better communicate and justify programs that enable solutions, not just prevent problems later.
Security can only get the right level of attention with the business focus, organizational savvy and strategic understanding to support business enablement. Outsourcing basic security operations to trusted partners (as IT has done with the running of servers for years) can free up resources to mature the security team (through hiring and building the skills and knowledge) to earn a seat at the table.
Consider the possibilities
In financial services, because security has been part of banking’s DNA since money first started moving by wire, they have had the “bake it in” mentality for years, and security has always had high visibility and status in the organization.
In industries like healthcare or manufacturing, it is not uncommon to have situations where a product is ready to launch, but a security expert then advises that the threats are too risky and stops the business case.
What if security was involved with application design from the start to ensure personal information is tightly controlled and testing is part of a secure software development lifecycle that happened in a single agile sprint, automatically? How much faster to market would you be?
CGI is helping clients advance their cybersecurity maturity in a number of ways, from sharing hiring best practices based on our in-depth experience in onboarding and training hundreds of engineers and technical professionals over the years, to providing managed security services to enable our clients’ own experts to move up the internal value chain.
In our next blog on this topic of shifting cybersecurity from “run” to change and grow, we will demonstrate different ways of moving basic cybersecurity operations to outsourcing partners.