The role of an Information Security leader used to be primarily concerned with protecting the confidentiality of information. It’s clear from the title Chief Information Security Officer that our priorities have been protecting the security of information. But a shift is occurring. As our world becomes more digitalized and interconnected, there are new priorities in Information Security. Integrity and availability of data and systems are becoming just as important—and at times even more important—than their confidentiality.
I recently had the chance to sit down with Bjorn Watne, Global CISO of INTERPOL, for an episode of Cyber at the Top. As the trusted global information hub for law enforcement, INTERPOL recognizes the importance of protecting the confidentiality of information. But in our conversation, Bjorn explored the bigger shift toward balancing the CIA (Confidentiality, Integrity, and Availability) triad, how that shift is changing the risk landscape, and what it means for the role of cybersecurity leaders.
Shifting Priorities: From Confidentiality to Integrity and Availability
There are two major societal changes driving the shift: the digitalization of data and the convergence of the physical and digital worlds. Twenty years ago, if the Internet went down, it was an annoyance. You might lose access for a few hours, or maybe a day, but most things kept working, That’s no longer true.
Today, almost everything we rely on is connected. Systems depend on data to operate. In Norway, where Bjorn is from, almost 100% of payments for goods and services are digital. If those systems go down, it’s not just inconvenient. It’s completely disruptive.
I shared a story in the episode about a friend of mine whose mattress was connected to a cloud service and would adjust the temperature during the night. When the cloud service went down, the mattress defaulted to the hottest setting, and he woke up in a sweat.
It’s a funny example, but it shows how much our physical and digital worlds are now inextricably connected. When systems fail in the digital world, the impact shows up immediately in the physical one. That changes how we think about risk.
Balancing the CIA Triad
While integrity and availability are becoming just as important as confidentiality, they’re often much harder to guarantee. In the past, security leaders focused heavily on data theft. Threat actors wanted to get in, steal data, and get out.
Now, the threat landscape has shifted toward systemic disruption. We’re seeing more supply chain attacks, more attacks on critical infrastructure, and more cases where, in addition to stealing data, attackers are making systems unavailable. That forces us to think differently about our priorities in security.
As Bjorn put it, “We need to classify whether availability of a system outweighs the need for confidentiality or integrity, or vice versa.” This means asking new questions: Which systems need to always be available? Which systems need to always be accurate but can be offline? And where does confidentiality fit into all of this?
Bjorne shared a dark joke to illustrate the point. Imagine a medical emergency where first responders are unable to access critical health data due to privacy protections. They administer a treatment the patient is allergic to. The tombstone might read, “Well, at least his data was kept confidential.” It’s uncomfortable to think about, but it highlights what is at stake.
The Biggest Challenges: Complexity, Visibility, and People
One of the biggest challenges in prioritizing integrity and availability is complexity. Organizations today are made up of countless interconnected systems, many of which extend far beyond traditional boundaries. What used to be internal is now global. Bjorn explained, “It’s difficult to get visibility across these huge landscapes.” The lack of visibility makes it harder to understand dependencies, track changes, and ensure that systems remain both accurate and available.
Cloud environments add another layer. Small configuration changes can have outsized impacts and maintaining a clear picture of what’s happening across systems becomes increasingly difficult.
And then there’s the human element. We’ve spent years training people to think about confidentiality by protecting data and preventing unauthorized access. Now we’re asking them to expand that mindset by thinking about resilience and what could happen when systems fail. It requires a mindset shift.
Impact on the CISO Role
As the organizational mindset shifts its focus to include availability and integrity, it also changes how cybersecurity professionals are seen in the enterprise. We start to look at security not as a barrier or gatekeeper but as a quality and resilience enabler, and the CISO becomes more of a Risk and Resilience Officer.
Security is no longer just about protecting information. It’s about ensuring the business can continue to operate. Bjorn advised, “Being the ‘guardian of secrets’ doesn’t work anymore. You need to be supporting the business and working on availability and risk reduction.”
Next Steps for Security Leaders
Bjorn offered a few parting pieces of advice for security leaders. First, follow along the lines of the latest regulatory requirements and identify your crown jewels—what are the key processes and services you’re in the business of delivering? Then, assume there is going to be a breach or disruption—find out what it takes to get those processes and services back online if they go down. Once you’ve figured out a response plan, continuously rehearse and test it. According to Bjorn, “Remember, you can almost always recover from a data leakage, but if your system is taken offline, that’s harder to recover from.” Can your business continue to operate when something goes wrong?
That question requires a broader view of risk, one that requires us to think beyond prevention and focus on resilience. Confidentiality is still important, and it always will be. But if systems aren’t available, or if the data they rely on can’t be trusted, the impact is immediate. That’s why the role of the CISO is evolving, not away from security, but toward resilience.
To listen to our full conversation,watch the video here.