[BreachExchange] The Evolution of CISO & CIO

[Audrey McNeil]

http://www.itsecurityguru.org/2017/03/16/evolution-ciso-cio/

Data security is a big deal. You know it, I know it, and it is hard to
argue at this point in time, that unless you’re living off the grid, data
security is a universal value. On an almost daily basis, data breaches and
their severe, far-reaching consequences are reported in the news, leaving
organisations on a multinational scale in no doubt that this is an issue of
the very highest significance.

Further, regulations such as the GDPR and Privacy Shield have been
introduced in order to safeguard customer data, pushing data security to
the top of the C-suite agenda from a legal compliance perspective. So
nowadays, data security is receiving the attention it should in many
forward-thinking companies. But it was not always this way.

The CIO — an officer alone

Looking back several years, cybersecurity, while important, had not reached
the boardroom agenda. It was still bubbling beneath the surface, viewed as
an issue that fell within the remit of the IT department alone. Whilst
digital processes still existed within business at this time, companies
were far less reliant on them for day-to-day operation, and fewer customer
details were stored in the cloud.

This meant that although a data breach would be an inconvenience and best
avoided, it would not have the catastrophic effects of the cyber attack of
the modern era. Imagine a ransomware attack on a platform like Hailo —
business (and a swathe of the taxi industry in the UK) would come to a
screeching halt. But prior to the turn of the millennium, data security
existed primarily as a bullet point on the job description of the Chief
Information Officer (CIO). It was one of many issues a CIO was tasked with
handling, alongside IT resource management, budgeting and internal
operations. CIOs prioritised ensuring their systems and services ran
flawlessly for their end-users, and often security capabilities were
prioritised second or third.

Enter the CISO

The CISO’s top priority is to protect corporate data and critical computing
resources. As digital transformation has expanded to encompass all
industries and sectors, technology has become an integral part of everyday
business. Digital processes and applications have evolved beyond internal
data storage and communication. For many companies, interaction with
customers takes place almost solely across digital platforms. But whilst
technology has huge benefits to offer the enterprise, heavier reliance on
digital has resulted in increased vulnerability to online threats.

Consequently, cybersecurity has become an issue that requires full-time
attention. And businesses have responded to this changing landscape by
prioritising the CISO role. This served the dual function of providing
additional risk mitigation for the enterprise, and freeing up the CIO to
focus on wider strategic and operational requirements, IT maintenance, and
further opportunities for digital transformation.

But it is not an entirely straightforward solution. Separating
cybersecurity and IT roles in this way has the potential to cause conflict.
For instance, what happens if the CIO wants to implement a particular
solution that the CISO deems to be a risk from a security perspective? Who
has the final say?

A changing of the guard

Whilst the hierarchy of the CIO and CISO remains fairly ambiguous and can
vary between organisations, it has traditionally been commonplace for the
CISO to defer to the CIO in instances of conflict.

However, I would envisage these roles reversing in the future. The
significance of data security has moved beyond the IT department and become
a business-wide, and even board level, concern. In particular, the
explosion of cloud computing means that company data is no longer stored
exclusively within the confines of the data centre, but carried on
employees’ endpoint devices such as laptops and tablets. And the prevalence
of BYOD culture has led to an unprecedented rise in shadow IT — people
using unauthorised tools to complete tasks with ease-of-use as a primary
selection criteria.

The role of a CISO is to partner with the C-Suite and help the business run
faster and do so securely. Traditionally, security organisations were
viewed as slowing things down and often saying “no” to the business.  In my
humble opinion, that is not the proper mindset for any security
organisation. Identifying techniques and tools to accelerate the
competitive advantages of your employer and outmaneuver the competition is
now part of the job description; or it should be.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/881a26ff/attachment.html>