[BreachExchange] CISOs & CIOs: Better Together

Destry Winant destry at riskbasedsecurity.com
Thu Jun 6 09:42:12 EDT 2019


https://www.darkreading.com/network-and-perimeter-security/cisos-and-cios-better-together-/a/d-id/1334850

For certain critical IT deliverables, CIOs and CISOs embody the
inherent tension between cybersecurity and operational requirements.
Where the CIO is charged with delivering efficient IT infrastructure
at low cost, the CISO is charged with ensuring that the same IT
infrastructure operates within the risk tolerance parameters set by
the board and CEO. Organizational structure has a lot of influence
over how these functions operate and interact, and it can either
exacerbate power struggles or facilitate alignment. Let's look at
three common organizational structures and how CIOs and CISOs can work
together to achieve their objectives.

Most Challenging: CIO controls CISO budget and rates CISO performance
When the CISO reports to the CIO, the onus is on the CIO to decide
whether to fund and support cybersecurity initiatives, or the core
deliverables that the CIO is charged with delivering. If a compromise
has to be made, the CIO may be tempted to sacrifice security over
functionality or infrastructure improvements.

This reporting structure can create an environment that discourages
the CISO from fully disclosing risk to the CEO and board. In other
words, CISOs who answer to CIOs are more likely to shape their message
to please the boss.

Advice: Create a safe environment where honesty is valued
A CIO must make it safe for the CISO to be honest without fear of
retaliation, and in turn, the CISO must have the courage to trust the
CIO and communicate openly about risk. CISOs are responsible for
helping CIOs understand risk and making it easy for them to mitigate
that risk. If the CIO chooses to ignore the risk and can't articulate
why, then the CISO must be prepared to escalate the issue to other
executives and/or risk owners.

Better: The CIO and CISO are separate roles, reporting to different execs
When the CIO and CISO report to different executives, some of the
challenges discussed above are removed. But tension can arise between
the two missions at an abstracted level. The lack of patching of the
Apache Strut vulnerability that led to the Equifax breach of 2017
illustrates the point. As Richard F. Smith, the CEO of Equifax,
explained to Congress:

On March 9, Equifax disseminated the U.S. CERT notification internally
by email requesting that applicable personnel responsible for an
Apache Struts installation upgrade their software. Consistent with
Equifax's patching policy, the Equifax security department required
that patching occur within a 48-hour time period. We now know that the
vulnerable version of Apache Struts within Equifax was not identified
or patched in response to the internal March 9 notification to
information technology personnel.

While it's not clear why IT personnel did not patch the vulnerability,
it is clear that the warning from the cybersecurity department and the
security patching policy were not followed. This type of breakdown is
more likely to occur where the IT personnel report up to a CIO and the
cybersecurity personnel report to the CISO with separate sponsoring
executives. Neither has complete and unambiguous responsibility for
patching, which is not conducive to decision-making.

Advice: Rise above the conflict
In this scenario, the CISO and CIO must be careful not to amplify
whatever misalignment exists between the executives above them. A good
CISO and CIO will be "bigger" than the roles they're in and decide
between themselves what's best for the business. The priority should
be visibility and effective execution, even if it means compromise.
Constant, open communication in this scenario is crucial.

Best-Case: Separate roles reporting to a single executive
Ideally, the CIO and CISO are two separately-defined peer roles that
report to one executive responsible for delivering a secure IT
environment that supports the business strategy. This helps ensure
that the CIO and CISO have mutually complementary requirements. When a
disagreement arises, one executive is accountable for making a
decision that is beneficial to the business.

Advice: Maintain transparency across the organization
Everyone needs to be on the same page when it comes to evaluating and
prioritizing different types of risk (information security,
operational, and financial). Ideally, transparency and healthy
communication exist across the environment. When there's transparency
across all types of risk, the business can make high-level executive
decisions regarding which ones to transfer, mitigate, and assume. The
CISO isn't in a position to minimize or overstate risk. Everyone puts
their cards on the table, and decisions are made based on what's best
for the business.

To be successful in their missions, CIOs and CISOs must be in
alignment. A vulnerable IT infrastructure won't withstand today's
threats, and without an IT infrastructure, there's nothing to secure.
At the end of the day, it's about enabling the business, and that can
only be done together.


More information about the BreachExchange mailing list