The cyber security pivot: from enforcement to enablement

CISOs highlight seven key actions to help security teams expand contributions while navigating mounting threats.

In the high-stakes world of cyber security, it’s hard to tell which is changing faster: the rapidly expanding landscape of incoming threats or the rapidly expanding job responsibilities of the company’s security team.

Start with the positives. After navigating the pandemic’s unprecedented cyber security challenges, chief information security officers (CISOs) and their teams are now essential seat-at-the-table partners for the entire enterprise, well beyond their traditional traffic cop role. That includes expanded and forward-thinking support for delivering business-critical initiatives like digital transformation, faster-to-market products, and seamless digital experiences that customers both embrace and trust.

But on the flipside are the relentless security threats, where the CISO and team are often the only ones at the table, trying to find the right balance between enablement and enforcement. Today that means redefining and expanding their role while always maintaining a vigilant front-line defense against constantly mutating cyber threats—and with a workforce that now views at least some amount of remote (i.e., more vulnerable) work as a given.

To find out more about how cyber security roles and the related leading practices are evolving, we spoke to a number of CISOs from major organizations across a wide range of industries and regions, as well as to our own cyber security specialists. A number of consistent themes and recommendations emerged from these discussions, as we outline in our comprehensive new report, “Cyber trust—securing the future.”

Taking a closer look

Above all, the CISOs we spoke to emphasized the critical need for security teams to move from enforcers to influencers. Rapid digital innovation is now table-stakes for ongoing business competitiveness and resiliency, and cyber security teams must adapt. That will require partnering across the enterprise with a pragmatic security culture that embeds secure-by-design thinking into every aspect of digital product development, infrastructure, and data.

Specifically, our new report identifies seven key actions for CISOs, which focus on helping their teams evolve, expand, and ultimately reimagine their role in the business:

Act like you belong in the C-suite

Broaden horizons

Weave cyber security into the organizational DNA

Shape the future cyber security workforce


Embrace automation as the rising star

Brace for further disruption

Strengthen the cyber security ecosystem


Check out the new report for complete background on each of these seven areas, as well as the underlying insights from security pros at leading companies.

Expanding the portfolio

Perhaps the biggest finding from our discussions is the emerging leadership mandate for the CISO role. At many companies today, CISOs are increasingly public figures, building trust and confidence with customers, employees, and the public at large against the backdrop of the latest headline about a large company’s security breach.

To make this shift, CISOs and their teams must shed their historical “can’t-do” perception and work to build consensus, acknowledging and navigating corporate politics while ensuring that leadership understands the security implications of the company’s growth-focused strategic initiatives.

That’s going to require security teams to be more sophisticated communicators, working across the business to embed a security focus into every new initiative. For example, that might involve integrating security into governance and management processes, education and awareness, and establishing the right mix of corporate and personal incentives, according to our discussions with leading CISOs.

Upskilling and automation shape up as two critical paths to support the security team’s evolution. CISOs are putting a premium on acquiring new capabilities for their teams, seeking unconventional, diverse new talent for their own teams while working to make a commitment to basic security a natural way of thinking for everyone in the company. Meantime, increased automation profiles as a way to reduce the manual workload, ease skills shortages and address the growing compliance requirements in a consistent and repeatable way. 

Planning for the inevitable

Above all else, the CISOs and cyber security leaders we spoke to emphasized one essential fact of life: Always plan for disruption.

The same forces that are driving digital innovation—the expanding smart device Internet of Things (IoT), advanced mobile networks, gigabits of new data being managed by AI, and hyperconnected cross-channels with customers, suppliers and employees—all open up exotic new cyber risks.

To maintain leading-edge cyber security for an impossible-to-predict future, CISOs are evolving their approach, expanding their influence, and finding new ways to facilitate growth and embed security into the entire company’s way of life. Read the full “Cyber trust—securing the future” for the full report on our discussions with CISOs and much more detail on their seven areas of focus.

Contact us

Fred Rica

Fred Rica

Principal, Cyber Services Sales Enablement Leader, KPMG US

+1 973-912-4524