Why is this misconsception false?
Paradoxically, the CDO is probably one of the only executives, if not the only one after the CEO, who can do something decisive on cyber / digital security. The CISO, when restricted to a technical perimeter, will not be able to carry this vision to this strategic level. Because many CISOs still depend on a CIO or a CTO. Their background is rarely business and without a sufficient dose of digital. Too rarely, they allow themselves (or are allowed to) think about the (external) customer.
The digital transformation director has a direct interest: he has budgets, he is listened to by the general management, he can even carry a P&L. He is often the only one able to intervene transversally on technology, customers and distribution channels, partners, employees and business processes. He or she will be mandated by the CEO, who is now - but has been for several years now - invited to drive the cybersecurity strategy (Accenture, World Economic Forum). If the CDO can (or should?) become the Sponsor of the cybersecurity strategy, should he carry the ultimate responsibility? Not necessarily, because it is fundamental that the CISO be able to retain a form of independence, allowing him to have a capacity to analyze, make recommendations and sometimes alert top management. However, it is certain that the two work together.
The cost of the CDO's cyber inaction is too high
For several years now, CEOs who have suffered significant cyber crises, and whose inaction has been shown by the press, are clearly no longer popular (Marissa Mayer, ex-CEO of Yahoo, the ex-CEO of Equifax, the CEO of SolarWinds... they are retired or retired from the active life of a large company CEO). Depending on the situation, either their CISO at the time alerted them, but they had not found common ground together, or the question of the CISO's competence was also raised (Equifax).
In the future, only those digital transformation directors who have properly integrated cybersecurity at the heart of their approach will be considered credible in their career management, towards even more ambitious positions. To paraphrase the OECD, there is no successful digital without true digital security.
There are strategies and solutions available today that can address these challenges. Once again, digital transformation strategies are a source of inspiration, if not a framework, for cybersecurity strategies. But we need to know how to interpret and transpose them. Tomorrow, there will be CDOs who have not grasped the subject and those who will have tamed it, for the good of the company and their own good.
How can the digital strategy make the cybersecurity strategy adhere?
A simplistic approach would be to apply Microsoft's advice.
With cyber, what does "a vision and strategy" aligned with digital transformation mean?
It's not just compliance with NIST CSF, CIS20 or RGS, or remediation following the last internal or external audit. It's about getting to the heart of the business processes, the company's culture, its strategy and capabilities. Business, IT and cyber capabilities. Cyber must be an integral part of the company's strategy.
In cyber, what is a "unified and elastic culture that invites diversity"?
It's not mandatory elearnings and accusatory phishing tests. It's a strategy, methods and tools that move toward meeting the basic needs of employees (Ryan and Deci, 2000): autonomy, competence and relationship. In short, empowerment on and via the cyber subject, in the daily exchanges of teams and at the heart of the company's strategy.
In cyber, what does it mean to "amplify unique potential"?
It is definitely not doing what everyone else is doing. No copycat strategy. It means having an intimate knowledge of business operations and strategy. Benchmarks (from yesterday) are interesting, but are the risk of doing like the average, i.e. mediocre, and certainly not "secure" (from today, and for tomorrow).
In cyber, what does "developing capabilities" mean?
It means what features the cybersecurity program should have in place. Not trying to address everything. Not putting a top priority on being X, Y or Z compliant. But, as in a military defense strategy, define the capabilities that the company must acquire, in the face of typologies of threats and situations. It is not only a question of adopting a truly risk-oriented approach, but, faced with this multiplicity of risks and black swans (events that are unlikely but may occur), faced with the multiplicity of attackers, adopting a strategy of industrialization, i.e. defining and implementing capabilities that are sufficiently fine-tuned to deal with the identified risks and adaptable to new threats without major additional cost or excessive rigidity.
To dare to paraphrase Stay Nadella, CEO of Microsoft ("every company is a software company") we say : Every company is a digital security company.
The "anti-fragile cyber" model
To truly work in depth on the cyber topic, and not push the problem away with yet another magic tool, or enter into the strategies of a market player whose fundamental interest is not necessarily aligned with the company, it is essential to have an organizational model for cyber resilience. Such a model is available today. The Anti-Cyber Resiliency Model.