Unlocking cyber excellence: CISO strategies for the TMT industry

TMT organizations face an expanding and increasingly complex cybersecurity threat environment. The volume of attacks grows at an exponential pace, while attackers use both scaled computing power and new sophistication (e.g., AI and Generative AI) to overwhelm defenses. Regulatory demands add to the complexity and cost of responding to breaches (already averaging $9.48 million per breach in the United States²). Continual migration to the cloud, remote and hybrid work, and mobile applications have opened new gaps for attackers to exploit. Companies have built up defenses—the average company has deployed 76 security tools³—but struggle to coordinate mismatched, redundant, or siloed technologies. Yet even as the cybersecurity challenge grows, budgets are constrained—and cybersecurity talent is hard to find and hard to keep.

How can you respond?

1. Assess how well your technology is integrated and whether there are efficiencies to gain in your security operations services.
2. Determine your existing cybersecurity expertise and talent against the rapidly expanding attack surface. Do you have the personnel in-house to enhance your security—and if not, can you recruit and retain the needed talent in today’s tight market? If you lack offshore operations, can you meet 24/7 cybersecurity demands?
3. Evaluate the cost of current tools and technology platforms against the value of managed services and infrastructure, which tend to accelerate implementation and reduce capital spending.

To operate in the digital world, TMT organizations need to create ecosystems, surrounding themselves with third-party providers, including developers hosting applications on their platform. These relationships allow TMT companies to offer a host of services and a richer user experience. But each of these relationships creates security risks. Regulators have focused on TMT organizations’ sharing of data—especially customer and user data—with developers and other third parties. Users also have rising expectations for data security and data use. But customer-facing organizations may find that their third-party providers don’t adhere to the same standards, creating a control challenge—often with few clear lines of responsibility for managing those risks.

How can you respond?

1. Review and understand the data your organization shares with third parties and developers.
2. Streamline service terms and agreements to clarify responsibilities for data security, privacy controls, data segregation, and attack detection and response among TMT organizations and their third parties and developers.
3. Build a compliance program to help ensure third parties and developers adhere to service terms and contracts.
4. Implement ongoing monitoring to manage risks arising from third parties.

View the related case study below.

TMT organizations have been in the throes of transformation, disruption, and maturation. From an explosion in digital commerce activity to the proliferation of online interactions, TMT companies were forced to scale up their services, expand computing capacities, and hire more personnel. Now, these companies are grappling with the need to rightsize their operations amid uncertain market conditions. Increasing pressure to reduce costs is further exacerbated by intensifying shareholder scrutiny on operating expenses and the increasing cost and operational burden of complying with an expanding set of digital regulations. As a result, privacy, governance, risk, and compliance program leaders should reevaluate their programs to identify opportunities for process optimization, efficiencies, and automation to reduce overall cost.

To navigate these cost pressures, Deloitte is assisting clients with integrating privacy governance, risk, and compliance (GRC) programs to drive efficiency through centralized capabilities and resource sharing; workforce optimization utilizing global delivery centers; and process automation utilizing curated AI and Generative AI models.

How can you respond?

1. Identify adjacent and synergistic GRC programs where capabilities, including tooling, could be combined and shared across programs to drive efficiencies.
2. Reevaluate the existing workforce location strategies to determine whether there are opportunities to leverage globally distributed delivery centers and lower-cost regions.
3. Inventory and evaluate what processes and tasks can be performed more efficiently offshore or completely outsourced as managed services (e.g., privacy impact assessments).
4. Assess current processes to determine where automation, use of Generative AI, and technological infrastructure can improve process quality and reduce operational costs. Automating privacy incident management, for example, may improve real-time response while generating both ongoing insights and analysis from historic incident data.

View the related case study below.

As cyber risks have grown, so, too, have security demands and programs. The result for many TMT organizations is overlapping, uncoordinated, and ineffective security efforts. Some investments are fueled by “shiny new object” syndrome—purchases driven by hype rather than organizational needs. Processes can also multiply, losing focus and creating redundancies and gaps. These problems are exacerbated by the premium cost of cyber talent and the challenges of recruiting and retaining skilled specialists. Inefficient defenses are not just a waste of investment—they create their own risks as sophisticated attackers exploit the junctures between disjointed tools. For TMT organizations facing revenue reduction and tighter budgets, optimizing the security program is an overriding imperative.

How can you respond?

1. Step back and take a holistic view of your cyber organization, technology, personnel, and spending, measuring them against evolving needs.
2. Make sure you have the right staffing in the right places. Refine your cyber organization to streamline levels and focus on outcome-based metrics. Consider whether offshoring can expand your talent pool and relieve talent of rote processes.
3. Streamline your security technology infrastructure for optimal results. Review all your applications for effectiveness and integration. Standardize your IT tools to the extent possible.
4. Automate processes. Leverage AI and machine learning (ML) so you can improve efficiency and effectiveness in identifying, analyzing, and countering threats. Consider whether automation can enhance user experience.
5. Consolidate your security vendors and third parties strategically to boost efficiency, reduce redundancies, and align responsibilities with evolving cyberthreats. Consider whether a high-touch, fully managed cybersecurity service arrangement like Deloitte’s Managed Extended Detection and Response (MXDR) could help you enhance your security while controlling the escalating cost of coping with cyberthreats.

View the related case study below.