Interface magazine, a "guide to digital disruption and technology transformation" in organizations, features CNA Chief Information Officer Rizwan Jan in its latest issue. The article highlights progress by Jan and his team in using technology to make CNA both more efficient and more secure. InDepth is reprinting the article here with permission from Interface, a British publication. 

Building a strong organisational culture within a business is a complicated process. However, the benefits extend far beyond merely fostering a positive working environment.

"A strong organisational culture is about more than positivity; it's a strategic foundation for business growth and cyber resilience," says Rizwan Jan, Chief Information Officer at CNA Corporation, a non-profit research, development, and analysis organisation that works in support of the United States Navy and Marine Corps. Jan stresses the importance of the role that culture plays in his efforts to oversee and digitally transform cybersecurity functions at CNA. He explains that, when employees are aligned with the company's mission and values, they exhibit more engagement, motivation, and commitment to achieving the organisation's goals.

"It fosters a collaborative environment where people feel empowered to give their best effort," he says, noting that this collaborative culture is a key driver of innovation and efficiency. Perhaps most importantly from Jan's perspective, he adds that culture acts as a shield against a wide variety of challenges, including cybersecurity threats.

Cybersecurity

CNA, like many other organisations entrusted with managing sensitive information, has witnessed first-hand the emergence of several technological and operational developments in the threats it faces. However, Jan explains, the strong organisational culture he has helped build at CNA plays a pivotal role in navigating these challenges.

Jan joined CNA in August of 2022. In his role as CIO, he oversees the establishment and execution of the organisation's IT, cyber, and industrial security strategy, ensuring the delivery of all information and technology capabilities required for the successful achievement of CNA's mission. He explains that his responsibilities "span a wide range of areas within the organisation," including the development, oversight, and execution of a new cybersecurity strategy for CNA aiming to "optimise efficiency, reliability, and security" across the organisation.

"Over the last year and a half, my role as CIO has evolved in response to changes in the business environment and advancements in technology," Jan explains. "I've been actively involved in leading digital transformation initiatives aimed at modernising our IT infrastructure."

This sweeping transformation has comprised the implementation of multiple cloud-based solutions, and the enhancement of CNA's digital capabilities to meet the evolving needs of its stakeholders. Additionally, Jan adds, he has taken on "a more strategic role in shaping the organisation's approach to data management, cybersecurity, and emerging technologies such as artificial intelligence and machine learning". This is especially important, as technologies like Generative AI are already having a marked impact on the cybersecurity landscape.

A holistic business transformation integrating culture with security and technology

This shifting landscape of both external threats and internal transformation has necessitated profound changes within CNA. Jan reflects that, as the organisation and the broader context within which it operates has changed, his own role has become increasingly "dynamic and multifaceted" as he has supported CNA's journey towards "continuous digital business transformation". These challenging circumstances have demanded rapid adaptation to changing business needs, with Jan driving organisational transformation, and leading CNA's team through periods of growth. Throughout this period of accelerated evolution, Jan emphasises that his team's continued successes highlight the importance of fostering a culture shift in tandem with - and in support of - organisational change.

Over the past 18 months, Jan has spearheaded a series of digital and procedural implementations with the goal of improving both the internal functionality and external security of CNA.

"In the past year and a half, I've addressed numerous challenges," he explains. "We identified and addressed cybersecurity vulnerabilities, enhancing our defences to counter evolving threats."

Addressing these vulnerabilities required the implementation of "comprehensive security measures", including regular vulnerability assessments, employee training programs, and the implementation of advanced cybersecurity tools and capabilities. Throughout this process, Jan highlights the fact that fostering a culture of security awareness was integral to his attempts at increasing CNA's cyberreadiness.

"We had to ensure every member of the organisation was equipped to contribute to CNA's defence against cyber threats," he says. "Security tools and technology by themselves aren't enough; you need people to embody a culture of preparedness and awareness of cyber risk."

Jan also stresses that, in an increasingly interconnected digital landscape, CNA's response to cyber risk needs to be similarly holistic. "Combating threats that we face requires not only constant vigilance but a proactive and holistic approach - it's cultural, procedural, and technological," he explains.

Modernising infrastructure

Another challenge Jan and his team addressed was modernising CNA's IT infrastructure with the goal of improving its efficiency and ability to scale up or down as needed. This, he elaborates, involved migrating legacy systems to cloud-based platforms, optimising network architecture, and implementing automation tools to streamline processes and reduce manual workload.

Jan also focused on enhancing data management practices to ensure data integrity, availability, and compliance with regulatory requirements. Navigating the complex regulatory landscape and ensuring compliance with industry regulations and data protection laws presented its own set of challenges. This included implementing robust data governance policies, enhancing data security measures, and improving data analytics capabilities to drive informed decision-making across the organisation, as well as working to stay abreast of regulatory changes, conducting regular audits and assessments, and implementing measures to address compliance gaps.

Addressing these compliance and security gaps has been "critical" to the project of strengthening CNA's IT capacities, Jan reflects. "It's been challenging and complex, no denying it. But I'm proud of the progress we've made in strengthening CNA's cybersecurity posture and mitigating risks to the organisation," he says. "It's been a collaborative effort involving stakeholders from across the organisation, and I'm confident in the fact that we're better positioned to address future cybersecurity challenges as they arise."

Cultural transformation

No amount of process and digital transformation will be impactful in the long term without the culture to back it up. "Culture eats strategy for lunch," says Jan. "Every digital transformation is, at its heart, a cultural transformation."

Embracing new technologies and digital tools often requires a shift in mindset, behaviour, and habits, and the change needs to take place from the bottom up across the organisation. Jan believes that without cultural change, the kinds of technology implementations his team are driving won't stick. Jan also stresses that, without addressing other cultural aspects such as leadership buy-in, employee engagement, and organisational agility, digital transformation initiatives will struggle to achieve their potential. Despite the fact digital transformation has become the default state of operation for many companies around the world, data gathered by McKinsey shows that as many as 70% of digital transformation projects fail to meet their stated goals.

By articulating the business vision for digital transformation, and emphasising its importance in achieving strategic objectives, Jan has been able to garner support and buy-in from leadership and employees alike. "I've focused on empowering employees to embrace change and innovation by providing training, resources, and opportunities for skill development. I encourage a growth mindset and try to reward experimentation," he says. "I've also worked to break down silos and encourage collaboration across departments and teams." Fostering crossfunctional collaboration and promoting open communication channels, Jan has been able to leverage diverse perspectives and expertise to drive innovation and problemsolving.

"Cultural transformation is essential to fostering innovation, driving collaboration, and enabling the organisation to adapt to the rapidly changing digital landscape," Jan argues. "Ultimately, successful digital transformations are as much about people and culture as they are about technology."

Looking to the future

2024 promises to be a year of complexity, risk, and accelerating change for the cybersecurity sector. Cybercrime is projected to cost the global economy a total of $9.5 trillion this year, and both the private and public sectors are firmly in the crosshairs of an increasingly professional and well-equipped class of criminal and state-sponsored bad actors.

Jan notes that, while there are challenges on the horizon, there are opportunities too. "One of the main focuses for the upcoming year is further enhancing our cybersecurity capabilities to stay ahead of the evolving threats we're seeing start to affect the industry." This involves investment into advanced technologies, strengthening CNA's incident response processes, and fostering a culture of cybersecurity awareness among its employees. In addition to these initiatives, Jan is particularly excited about the implementation of a comprehensive Counterintelligence program. "This program will enable us to proactively identify and mitigate insider threats, including unauthorised access, data exfiltration, and malicious activities by employees or trusted partners."

Furthermore, Jan stresses the importance of aligning technology initiatives with the organisation's overall business objective and culture. "Effectively leveraging technology is crucial for providing value to the business," he affirms. "However, doing so presents not just a technical challenge but also a strategic imperative that demands alignment with our overall business objective and culture. CNA will maintain collaboration with strategic partners, leveraging their expertise, products, and services to fulfil our strategic objectives."

"Specifically, we're leveraging ServiceNow's security operations solutions to enhance our cybersecurity capabilities," he adds, noting that the unified platform will "streamline CNA's incident response processes, enabling us to detect, prioritise, and respond to security incidents more effectively."

Looking ahead, Jan emphasises that the successful integration of technology into the organisation's operations requires a cultural shift towards embracing innovation and aligning technology initiatives with the broader business strategy. He is confident that effectively leveraging technology will prove crucial in providing value to the business.