Strategy and Governance /

The Digital Transformation and the Role of the CISO

new security organisation model

Cybersecurity needs to be at the heart of the digital transformation, but organisational models will have to evolve


Cybersecurity is in the process of becoming an essential component of any organisation’s digital transformation journey. There is no way around this, especially as policymakers start dipping their toes into privacy and security issues, and societal norms are shifting on the topic.

In fact, privacy and security considerations are the key ingredients of digital trust and must be at the heart of any industry’s digital transformation. Far from being solely technological issues, they encompass for many firms profound cultural and governance issues.

The necessarily transversal nature of security and privacy matters needs to be woven into the fabric of an organisation for the digital transformation to succeed over the long-term, and this will force existing organisational models to evolve.

Of course, most new technology layers enabling the digital transformation need to be protected from interference, intrusion, or corruption. This is especially the case across industry sectors seeking to take advantage of the enormous opportunities offered by driverless vehicles and the logistics sector – amongst others – could be unrecognizable in ten years’ time.

digital transformation logistics

New technologies will also generate and feed on massive amounts of data – most of it sensitive or private – that will need to be collected, processed, and safeguarded in a way that is both sensible and ethical. This is absolutely key for example in the retail sector where the growing trends towards the enhanced personalisation and the digitalisation of the consumer’s journey are literally turning the industry on its head.

digital transformation retail

The concepts of security by design and of privacy by design will inevitably become any organisation’s best allies in its innovative endeavours and must be taken seriously by all digital transformation players, especially as the regulatory and social contexts become harder to navigate.

As data is increasingly becoming the fuel of the digital value-chain, it needs to be understood and treated as a truly valuable asset by all firms and protected as such.

But this must not be seen as a mere technical matter: It needs to be addressed across the corporate spectrum as a full managerial and cultural matter and could have deep organisational implications.

There is no doubt – in our opinion – that organisations which put information security and privacy at the heart of their digital transformation from the start could obtain a real competitive advantage in the mid-to-long run.

As a matter of fact, the recent launch of the General Data Protection Regulation (GDPR) in the EU is changing dramatically the incentives landscape for all businesses active in Europe.

Make no mistakes: The GDPR is an integral part of the digital transformation paradigm and illustrates how external forces – in this case, regulation – can and will be applied by politicians to try to restore market equilibrium – in this case, in the face of ruthless data monetisation – to protect the perceived interests of consumers and citizens.

Organisations can now be fined up to 4% of their global turnover for non-compliance but may be faced over the short-term with incoherent rulings and shifting legal norms (as nobody really knows yet how the regulators will act in practice). In addition, firms are now required to report any relevant data breach to the regulator within 72 hours. This will require capabilities of detection, analysis and reaction, which go far beyond the scope of the security teams and will force many corporate stakeholders to work together on those matters (security, IT, legal, DPO teams, senior management etc…). As such, the GDPR could be a painful lesson as to why cybersecurity is necessarily a transversal matter for organisations of all sizes.

Finally, and perhaps most importantly, respect for privacy and the protection of personal data is likely to become a true competitive advantage as our societies become increasingly warry of these issues.

This shift is well illustrated by the first complaints filed under the GDPR framework. Privacy activists such as Max Schrems or the French Quadrature du Net, for example, have already started to drag high-profile tech companies (Facebook, Google, Instagram, etc…) into what could become lengthy legal proceedings. Depending on how the regulators react, this could have deep implications on how data-driven businesses are to operate in Europe.

As consumers and other stakeholders start scrutinising more and more corporate attitude towards data, failing to acknowledge their concerns over these privacy issues – or worse, making the headlines when the next scandal hits – could do more harm to any business than a regulator’s fine.

At the heart of those matters lies a deep reliance on digital trust. Once broken, it is the entire digital value chain which collapses…

Investors themselves are starting to regard digital trust is the true “secret sauce” of the digital transformation, and security and privacy – as its key ingredients – are fast becoming serious components at the heart of any sound ESG framework.

Increasingly, security and privacy become intertwined, but it makes little sense from a corporate governance perspective to allow a new privacy organisation under a DPO to grow in parallel to – or in conflict with – existing security structures. Synergies are obvious and need to be leveraged, and where security practices are deemed dysfunctional or in need of improvement, this could provide an ideal opportunity.

In fact, it could be the start of a major evolution around corporate perceptions of security and privacy, from burden, annoyance and costs, towards becoming central management functions.

But organisational models will have to evolve as a result to accommodate the truly transversal nature of security and privacy matters and carve out a niche for those new corporate functions.

new security organisation model

At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.

Not in its functional existence – IT security is more essential than ever – but in its corporate prominence. Having failed to project their roles beyond the tactical and technical fields for the best part of the last decade, many CISOs could find themselves pushed down the organisation while CSO and DPO roles take centre stage at the top.

With those new roles should come new people and a new focus, and probably a different way to approach security matters and talk about them.

We could be at the start of an exciting decade for all security professionals.


JC Gaillard

Managing Director

Corix Partners

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

This article was written in collaboration with Vincent Viers.

A summary was published on the Kuppinger Cole blog on 9th July 2018 and can be found here.