Security leaders are not what they used to be… and retail companies can be better for it! Chief Information and Security Officers (CISOs) and security teams used to be caricatured as the “Department of No”.
In their efforts to turn their organisation into impenetrable fortresses, they were often deemed to be blocking innovation in the process. This approach, it is often argued, did nothing to stem the emergence of shadow IT, cloud, or AI, with employees finding ways to bypass policies without security teams knowing.
But we are already talking in the past tense. Many, indeed most CISOs, recognise the need to change from a defensive (“I cannot allow this.”) to a proactive enablement mindset (“How do I enable my colleagues to do this, but safely?”).
A head start …
CISOs with more progressive mindsets are especially prominent in retail, as we discovered through research we recently published showing that an overwhelming proportion of CISOs in the sector consider themselves to be business enablers (98%) wanting to play a more active role as a business enabler moving forward (87%). These percentages are much higher than found among their peers across other industries.
So what is causing this desire to be more of an enabler that seems to be so specific to the retail sector security leader? Possibly one influencing factor is the pressure that retailers have found themselves under from the digital sphere. E-commerce saw technology disrupting retail much earlier than many other industries.
Under pressure from the emergence of online pure-players, the retail industry had to innovate early and quickly, building extended digital footprints with complex integrations and infrastructures that are hard to secure (e-commerce, payment, logistics, multiple locations, marketing…). Over the years, CISOs and their teams played an important role in this transformation, helping retail companies strike that balance between accelerated innovation and ensuring the necessary protections for employees, customers and data.
… but perceptions are still lagging
The new research shows, however, that despite their essential contribution, perceptions about security leaders seem to be lagging reality. The vast majority of retail CISOs claim that they can enable more business innovation than other members of the C-suite (87%), but that the C-suite fails to see that their role makes innovation possible (84%).
An overwhelming 81% of retail CISOs also said their appetite for risk has increased in recent years, and hardly any consider their risk appetite to be low (< 2%). When asked about their CEO’s risk appetite, however, they consider it much lower than their own (23% said their CEO’s risk appetite was low), indicating that retail business leaders may now be more risk averse than their security counterparts, an unexpected contrast that challenges common assumptions.
With more progressive CISOs, and more risk averse CEOs, mindsets seem to be evolving in opposite directions, and causing some friction. Retail CISOs unanimously said they are experiencing difficulty with conflicting risk appetites in the C-suite, and in such a competitive sector, retail players can’t afford a lack of alignment to slow down innovation and growth.
Trust and compromise
In this context, establishing a healthy partnership between security and business leaders has never been more important. A collaborative CISO / CEO relationship ensures the company continues to move at pace, with security embedded in its innovation culture. And as with any successful relationship, communication is important when opinions diverge, enabling both parties to understand the reasons behind counter viewpoints and collaborate to find an appropriate resolution.
CISOs wishing to change perceptions about their role and contribution should consider changing the narrative that dominates their exchange with business leaders. Another conversation about cyber threats and security solutions won’t help change perceptions, but discussing options to safely enable innovation and the value the business could draw from it, could.
Tools and technologies are important, to be able to make decisions to enable the workforce (for instance securing rather than blocking the use of generativeAI tools) but save the technical details and metrics for within the technical teams, and focus c-level discussion on the ways in which security policy benefits business goals.
Aligning security and business objectives in that manner should also help CISOs strengthen ties with other departments and present joint propositions and a united front to the CEO, as discussions will revolve around how the company can unlock more efficiency for their team.
Retail is a fast-paced, highly competitive and digitised industry, and companies in the sector need the best CISOs to manage this careful innovation-security balance. However, a reductive view of what their CISOs can achieve is guaranteed to ensure that the industry fails to tap its full potential.
Fixing this doesn’t require rocket science, and by recognising the value of modern CISOs, and establishing the right relationships and processes between business and security, retail companies should be able to draw more value from security teams.
Tony Burnside is vice president and head of APAC at Netskope.