Achieving management consensus on how best to address cyber risks remains a challenge. There are still many business leaders out there that see cybersecurity as overhead, a function of technology, and a necessary burden. Cybersecurity as an enabler sounds great in theory but is very difficult to achieve in real world practice.

Andres Andreu is the CISO at 2U Inc., the US-based parent company of edX, a leading global online learning platform providing over 40 million learners with access to world-class education. An industry veteran chosen in 2022 as one of the TOP-10 CISOs by C-Level Focus, Andres is also a mentor, an advisor, to multiple start-ups and is a published author.

Samir Aliyev, CEO and Founder of the Swiss Cyber Institute has been talking with Andres Andreu. In this interview, Samir has been discussing with Andres what key elements are required to balance the value of new technology with the potential for increased cyber risk that comes with it.

Companies are more reliant than ever on shared technical infrastructure and service providers. How should a company integrate cyber risk management into its decision-making processes and how will it impact cyber resilience?         

Whenever key ecosystem components are outside of a CISOs physical control (e.g., deployed on-prem, etc.), risk has to be at the forefront of decision-making processes. Business, and revenue-generating opportunities stand to benefit most from shared resources and those need to be weighed against any perceived or identified risk. If shared resources are used properly (systems design, segmentation, etc.) then cyber resilience only stands to gain from the shared resource (e.g., cloud hosted) model.

Many CISOs see their role as a blend of both technology and business. How do you see the CISO’s role evolving so that they can keep up with or ahead of the threat landscape?

I feel many CISOs have lost their technology DNA and have become exclusively businesspeople. The more that business narrative gets pushed the less those CISOs can actually be useful from a protective perspective. Moreover, their decision-making ability gets impacted as well. An effective CISO should be balanced and should be able to speak financials with executives just as effectively as discussing attack surface and relevant threats.

Common ways to assess the value of a senior executive to an organization’s business is to look at any identified impact they have had on the top and bottom line. How should an organisation measure the value of a CISO?

This requires a mindset shift at an organizational level. The shift needs to be one of “business enablement” to “safe business enablement”. Conducting business is different than conducting safe business. History has shown us that conducting business in an unsafe fashion leads to serious problems. So, one way an organization can measure the value of a CISO is to scrutinize if they are able to conduct safe business under that CISOs watch.

The visibility of a CISO often boils down to how much the business values security. How important is it for a CISO to have a seat on the board and does it matter who a CISO reports to?

CISOs do not need board seats within the company that employs them. Boards do need the expertise that a CISO can bring to the table. So, a well-rounded CISO (who can speak finance as well as cybersecurity) can add value to boards where needed but the importance will vary between organizations. Reporting structure is very subjective to an organizations culture. So, it does matter who a CISO reports to but there is no formula.

What are the key steps an organisation should take to ensure that it is well prepared to effectively respond to and recover from a potential cyber-attack, and how should one prioritise and allocate resources towards achieving and maintaining an effective state of cyber resilience?

Response and recovery come down to a well-designed and mature Incident Response (IR) or Incident Management (IM) programme. The reality of the matter with IR/IM is that this is reactive in nature; it is a post-incident endeavour, the event already took place. An effective state of cyber resilience pushes as much as is possible to the forefront of events and so IR/IM is a thing of last resort. Cyber resilience introduces the notion of having anti-fragile environments that can actively withstand nefarious events. As such, with a matter of urgency proper resources should be allocated to pro-active protection that introduces strong resilience.

In your opinion, what is the most overrated trend and/or technology in cybersecurity and why?

The most overrated trend is Zero Trust (ZT) via the purchase of a specific product. ZT is a journey towards a continuously adapting set of solutions, not a product deployment.

On the obverse, what do you consider to be the most underrated trend and/or technology in cybersecurity and why?  

The most underrated trend is to ensure that the basics are covered. Basic technology hygiene is the essential foundation all else is built on. If your foundation is weak then no amount of innovation will truly increase your security posture.

While most business leaders are more aware of their organization’s cyber issues than they were, would you say that achieving management consensus on how best to address cyber risks remains a challenge?

It is still absolutely a challenge. There are still many business leaders out there that see cybersecurity as overhead, a function of technology, and a necessary burden. Cybersecurity as an enabler sounds great in theory but is very difficult to achieve in real world practice.

Adding emerging technology to legacy IT increases the complexity of an organization’s digital environment. What are the key elements required to balance the value of new technology with the potential for increased cyber risk that comes with it?

A keen understanding of what is really valuable to a given business. Sometimes a technology refresh, or innovative addition, introduces more disruption than it actually adds value. So, the balance that is referenced requires deep intimacy with a business, its culture, and its strategic objectives. Then a strong level of objectivity is in order such that a cyber leader can make a sound, subjective decision.

Amongst many challenges, CISOs are up against talent shortage and staff retention in the field of cybersecurity. What do you consider CISOs should do to identify and develop a diverse talent pool to meet an organization’s needs?

CISOs need to keep talented staff engaged and always growing (as individuals). If a CISO focuses on developing the individual that will pay off. Talented people generally get bored easily and require constant challenges to stay engaged.

According to several surveys, cybersecurity professionals would rather work from home (WFH). Do you feel WFH is a blessing or a curse for CISOs?

It depends on the level of the person. For example, the more senior leader and architects probably need a healthy amount of in-person time. But an analyst or an engineer won’t. I don’t see it as either blessing or curse, I see it as something that needs to be intelligently balanced. If a CISO is in tune with their staff this is entirely possible.

What do you look forward to most at this year’s Global Cyber Conference?

Networking with experts and peers from around the globe. I absolutely appreciate global diversity and absorb form-varying perspectives and knowledge levels every chance I get.