‘Cyber Isolationism’ is Making CXOs’ Jobs More Complicated – And More Critical

Originally published by CXO REvolutionaries.

Written by Simon Hodgkinson, former CISO, BP.

Is globalization in decline?

Put this question to a group of economists, diplomats, social scientists, or other specialists, and you’d likely kick off a long and spirited debate with representatives on both sides passionately supporting their positions.

In his 2005 book, The World is Flat, the American commentator Thomas Friedman painted a picture of an interconnected world that would supposedly level the playing field for economic competitors. Barriers to entry keeping the developing world out of global markets were due to be washed away like sandcastles at high tide.

A lot has changed since then. While Friedman’s thesis may still hold for financial markets, I would argue that we are now witnessing a reversal of this trend in the digital world. “Cyber isolationism,” as it’s sometimes called, is challenging businesses' ability to operate efficiently and effectively across the different regions in which they operate.

A recent report published by the U.S.-based Council on Foreign Relations (CFR) declared, “the era of the global internet is over” and that “U.S. policies promoting an open, global internet have failed.” Data, it argues, is now a source of geopolitical power that countries will tussle over as new-era ammo in a digital global power struggle.

For Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs), it’s difficult not to see the rise of regional data regulations as an obstacle to doing business in the connected world enabled by our technology. While many of us rely on the same services regardless of our geographic region – from cloud providers to productivity tools like Microsoft 365 – we’re often governed by wildly different data privacy and protection laws.

It’s one of several developments that are making it more difficult for CXOs to steer global organizations in the right direction – and in turn making their jobs more important. Over the past decade, for example, the role of the Chief Information Security Officer (CISO) has gone from being embedded under a head of infrastructure to its own C-level position with a seat at the table, largely due to the breadth of the role and the scope of the risk it's tasked with managing.

A riskier, more fragmented web

I believe there are two factors most responsible for contributing to the rising stature of CIOs and CISOs in the corporate world. One is the way high-profile compromises demonstrate the devastating global potential of powerful cyber weaponry. WannaCry and NotPetya pulled many heads out of the sand regarding the damage and disruption cyber-attackers were capable of.

Sophisticated supply chain attacks like SolarWinds and Kaseya were a reminder that securing our own organizations wasn’t enough anymore. In all, cyberattacks have moved from the realm of a technical challenge to an existential one for businesses. That fact is becoming more widely recognized.

The second factor is the Balkanization of data privacy regulations I mentioned earlier. Having served as CISO for bp, which operated in 80 countries at that time, I knew to anticipate disparities in data privacy laws from site to site. Sharing data outside of the EU, for example, is now a sizeable headache for global organizations.

GDPR, the California Consumer Privacy Act (CCPA), Schrems II, the Australian Privacy Act (APA), and so on give CXOs headaches at global companies that have to deal with such regulations regularly. India, Iceland, and Israel each have their own GDPR-like but unique laws, just to stick with “I” countries. It’s unreasonable to suspect one position to develop a mastery of them all.

Other than leaning on smart and informed legal teams – which I was fortunate enough to be able to do during my tenure at bp – how can CXOs rise to the occasion presented by the global circumstances they face today?

CXOs rising

The CFR report I mentioned recommends that the U.S. adopt a framework that's interoperable with the EU's GDPR. Given America's federated setup, I would not expect anything in the short to medium term. So, short of passing major legislation, what can CXOs do to ensure they remain effective in light of the roadblocks before them?

I would suggest two best practices. First, CXOs must ensure the board and their executive team understand how a cyber-attack could impact the delivery of business outcomes. Ultimately, accountability rests with business leadership, but it’s the CXO’s job to make sure they understand what they’re up against, in layman’s language.

Next, CIOs and CISOs need to ensure the board and the executive team are engaged in crisis simulations. I see many organisations leaving this to the CIO/CISO team. However, it is critical that the business leadership, including representatives from legal, communications, HR, and finance departments, are involved. This should cover a legal, privacy, regulatory incident, and most importantly with the escalating levels of ransomware, a prolonged loss of IT. By prolonged, I mean weeks or months as we have seen happen to many organisations. Traditional business continuity plans simply don’t cater to this sort of event and must be updated to reflect this growing risk.

Cyber isolationism is making the job of IT executives more challenging. It’s also elevating the importance of positions like CIO and CISO for businesses’ resilience and success. To meet these increasingly broad expectations, CXOs must effectively communicate these new realities and prepare for the era of post-open internet in which we now live.