New World Order & The Role of the CISO

The traditional role of a CISO is changing in this new dynamic world of geopolitical unrest, economic uncertainty & the expectations of doing more with less are increasing.

By Kaushik Majumder

The world around us is changing dynamically, stability is no longer a luxury that businesses enjoy & as cybersecurity continues to be looked at as a strategic function that helps in cyber & business risk reduction, CISOs will need to be prepared for this new reality & meet board expectations.

So, what has changed?

Geopolitical Environment: Geopolitical risks have significantly increased in the last few years; some of the examples are provided below:

• Tariff-war between China & USA
• Russia Vs Ukraine [NATO – North Atlantic Treaty Organization]
• Most countries are taking a protectionist approach towards the market economy
• Israel Vs Iran war – Broad volatility in the Middle East is impacting oil prices
• Cyber risks from nation-states
• Climate change
• Public health emergency [Ex: Covid-19]

This really is a conundrum for business leaders, as we know in today’s world, all the geopolitical risks have unfortunately materialized in close succession, which means the resources of the organization will be under duress & will need to be prioritized.

A study by PwC shows that CEOs & Business leaders consider cyber risks as the priority area when it comes to geopolitical risks.

Image source: PwC

 

Apart from geopolitical risks, we are also in the middle of a huge technology disruption led by AI. CISOs will not only have to prepare for the adoption of AI but also defend against threats/risks that are now enabled by AI. This is a separate topic by itself, and we will keep the scope of this article limited to geopolitical risks.

So, what do geopolitical risks mean for the CISO?

• Boards demanding to know the top risks for the organization & mitigation steps
• Prioritization of cybersecurity investments & also prove value to the board
• Escalation in cyber warfare, leading to private organizations becoming targets of nation-states
• Risk to cyber-physical systems & safety of humans
• Risk to the critical infrastructure of the organization, leading to business disruption & loss of revenue
• Disinformation campaign affecting the reputation of the organization

So, how does the CISO respond to the above challenges?

In my view, fundamental changes may be required to address the new emerging world order, & below are some of the first steps that can be planned & implemented:

Changing mindset is important, getting closer to business is important, but what does that mean?

• Know what is important for the business, start with what the business is already telling you.
• Attend periodic strategy briefings.
• Read through yearly performance/annual reports (Publicly available for shareholders).
• Periodic internal meetings with business leaders within the organization to understand business priorities.
• Highlighting the importance of cybersecurity & how it can help businesses in this new world.
• Ask the business leaders what value cybersecurity has for them.

Cybersecurity investment prioritization, but how does it manifest?

Proactive vs reactive security:

Stanford research shows that learning-based reactive security is effective vs an all-out proactive security approach. Conversely, research conducted by Research Nester & others shows that the proactive security market size was USD 31.6 billion in 2024 & is expected to increase to USD 35.1 billion in 2025, with a CAGR of 13.7%.

Image source: Research Nester

 

These two research papers provide very different points of view, but when you look at them in the context of business sectors, functions generating revenue, and compliance requirements, both make sense.

Hence, in the real world, a combination of proactive & reactive approaches is required to balance budget reduction and appropriate security levels.

Example implementation:

i) Protecting present & future revenue streams — Proactive approach:

• Prioritize financial, human, and technological resources for revenue-generating functions.
• Invest in proactive tools such as threat intelligence, breach & attack simulation, predictive analytics, and cyber insurance.
• Maintain a lower risk appetite for these functions and assets.

ii) Rest of the businesses — Reactive approach:

• Maintain baseline acceptable security controls.
• Focus on patching, risk assessments, and audits.
• Limit new security investments and accept a higher risk appetite.

Value proposition – Numbers are important:

In any P&L business, the primary indicator of value for cybersecurity should be demonstrated in financial terms. It might be difficult to quantify risks financially, but CISOs must find ways to represent value in financial terms to the board.

Till now, cybersecurity has been associated with the bottom line; however, CISOs need to think about whether cybersecurity can also be associated with the topline of the company.

Traditional value proposition of cybersecurity:

• YoY % decrease in cybersecurity investment — not considered financial value by top management.
• Perceived value remains technical (e.g., reduce incident response time by 5%, increase coverage by 5%).
• We talk about reducing business risk, but not demonstrate how.

New proposed value proposition:

Stable YoY cybersecurity investment (Bottom line) & how to demonstrate business value directly linked with financials (Top line).

Example:

• Incident response time saved in 2024: 50 hrs.
• Identify affected revenue-generating assets and quantify total time saved.
• Multiply by average revenue per hour to calculate financial impact.

Through this example, the CISO can clearly demonstrate how cybersecurity directly enables financial value — e.g., USD 2.6M in 2024.

Incident response:

Incident response is the first line of defense in cyber warfare emanating from nation-states. Threat actor groups with vast resources and immunity pose challenges for underfunded corporate defenders.

Recent examples include:

• SolarWinds attack (2020) compromising multiple supply chains.
• Storm-0558 compromising Outlook Web Access (OWA) of 25+ US organizations.

Incident response must deal with immense data noise while ensuring critical threat identification.

According to WSJ, Amazon sees nearly 1 billion threats daily. IMF reports that cyber risk and loss probability have quadrupled since 2017 to USD 2.5 billion.

(*) Every threat doesn’t materialize into actual cyber incidents.

So, in summary, CISOs must deal with an enormous scale of attacks every day, and some of them may be persistent attacks (APTs) affiliated with nation-states, which increase the probability of extreme losses, and all of these with limited resources.

The question then becomes how a CISO strategizes the organization’s incident response & prioritizes threats. In my view, the following are necessary to develop a successful incident response program. The answer lies within each organization; every organization has a huge amount of data on attacks that have happened on their infrastructure over the years. A detailed analysis of this data is essential to come up with an incident response strategy.

Below, I provide some important guidelines that can be followed to develop the strategy:

• Determine what % of the attacks were converted into actual incidents (a large portion of the attacks should be prevented by the security infrastructure that is installed at the company network perimeter).
• From this sub-set, determine which incidents can be attributed to threat actors motivated by money vs threat actors motivated by geopolitical reasons & funded by nation-states.
• Identify the financial risk appetite of the organization related to incidents.
• Work with the corporate finance teams & other stakeholders to arrive at a financial value.
• Convince the board to set aside this money every year for incident-related loss.
• Anything above that value should be insured, and the organization should have a cyber insurance policy.
• Apprise the board that incidents are inevitable & focus of the incident response teams will be on containment & response.
• The majority of the incidents will be within the risk appetite financial value & can be tolerated with corrective/reactive measures.
• A smaller % of the incidents, however, will need proactive measures, & may need additional investment, particularly if such programs target the critical infrastructure & assets of the organization.

In summary, the incident response strategy should be bifurcated into reactive & proactive approaches, and certainly critical assets and threats from nation-states should be part of the organization’s proactive strategy.

These four strategies (amongst others), which I speak about, may provide CISOs with some inputs on how to navigate the challenges of this new world & demonstrate the value of cybersecurity to the board.

References

• https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/cybersecurity-geopolitical-conflict-board-ceo-response.html
• https://www.researchnester.com/reports/proactive-security-market/5352
• https://www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability
• https://theory.stanford.edu/people/jcm/papers/proceedings-fc2010.pdf
• https://www.wsj.com/articles/the-ai-effect-amazon-sees-nearly-1-billion-cyber-threats-a-day-15434edd
• https://www.infosecurityeurope.com/en-gb/blog/threat-vectors/top-nation-state-cyber-attack.html

Note:
This article is based on the opinion of the author & is not affiliated with any entity or individual. It is written for the purpose of sharing knowledge & information on cybersecurity aspects with proper attribution & references to the source of any external information.
This article can be used for knowledge dissemination, academic work, and not for commercial purposes.