How does information security end up in the portfolio of the CIO?
Historically, the CIO has ended up in charge of information security in many organizations because many tactical measures required to deal with cyber threats lie in the IT field.
For decades, executive management has lived with the perception that information security breaches have a low frequency and a low impact. To be fair, the size of the risk map which board members have to respond to has increased enormously over the past 10 to 15 years – and today, information-related risks are still just one small part of that overall risk map. Geopolitical and financial risks have escalated, as well as environmental risks – which have become more and more prominent in recent years. When coupled with endemic short-termist or compliance-obsessed management tendencies, cyber risks have often failed to be picked up on the board of directors’ radar up to now.
Occasionally, the topic might have been escalated by auditors or regulators, but overall it was seen as part of the normal way of running a large and complex organization where many things can go wrong every day.
A number of very high-profile data breaches in recent years (Target, Sony, Ashley Madison, Talk Talk etc…) have started to change that perception. However, many board members still tend to see cyber security breaches as something technical they don’t really understand.
Can the CIO make a difference?
With the right attitude, the CIO can be a real driving force behind significant information security improvements.
In our opinion, it is not necessary to be overly concerned with 'separation of duties' considerations. In most organizations, the CIO is a respected executive – as either a board member or reporting directly to a board member – and is entrusted with the management of large teams and very significant budgetary responsibilities.
The risk is often greater for an arbitrary separation of duties to fuel internal politics and paralyze effective decision making.
What are the factors shaping the relationship between information security and the CIO?
First of all, the CIO needs to be control-minded for the relationship to function, or at least should have an interest in information security matters and some grasp of the concepts involved.
If the CIO is not personally or politically capable of looking beyond financial or IT delivery matters, information security will often be delegated down and, over time, turn into a mere box-checking exercise.
While this may randomly protect the organization to a level which satisfies executive management, it will also perpetuate the poor practice belief that cyber threats aren’t really that important – with auditors and regulators continuing to run the control agenda.
This is a situation which we observe constantly in the field, with organizations failing to properly address the ongoing threats they face – in spite of spending huge sums of money on audit or compliance-driven programs of work, or in knee-jerk response to incidents.
If the CIO is control-minded and wants to make a difference, he or she needs a clear definition of their information security role and a clear remit.
It’s important to remember that information does not only exist in digital form. It also has a physical form, and more importantly it is constantly manipulated by people as part of business processes. When it comes to personal information, there is often a complex legal framework to comply with, particularly for global organizations. Protecting information requires concerted action at a physical, functional and technical level. But the CIO can only be directly responsible for the technical aspects of information protection.
How does a CIO implement a successful approach to information security?
The CIO needs to send the right messages in three directions: upwards, downwards and sideways – and will face key management challenges in each case.
Managing upwards: How to engage with board members on information security matters?
CIOs will find that executive management is becoming more and more receptive to the cyber security messages being hammered out by politicians and the media. Board members might also have been scared by recent data breaches and the aggressive media coverage that surrounded them.
Many board members have started to understand that, even if significant information security breaches still have a relatively low frequency (all things considered), this frequency has increased dramatically over recent years. In addition to this, the impact information security breaches can have has become more and more difficult to quantify due to the increasing dependency on third-parties and the tremendous amount of media and political interest that has been building up. Losses can easily run into the tens of millions and – more importantly – brand reputation and customer trust can be left irrecoverably damaged by cyber attacks.
The message from the CIO to the board must be clear: Where the problem is rooted in decades of neglect, under-investment, and adverse prioritization, there can be no miracle solution, technical or otherwise: Avoiding these breaches, or dealing with them, will require coherent action over time – across the whole organization. For this to be successful, each party involved (business units, HR, Legal, IT, etc…) needs to have a clear understanding of its role and remit.
This is why a medium to long-term strategy and a solid cross-silo governance model are essential to drive cyber security transformation. Ideally, it should also include a commitment from the board to medium to long-term funding, in order to allow all parties to plan information security delivery over the necessary timeframes.
The first challenge of the CIO is to drive this message upwards in the organization – to the board of directors and its members.
Cyber security is also inherently a global problem, and only with a clear and unambiguous vision – coming from the top – can the CIO be successful at delivering complex technical security platforms across all operational divisions and geographies of a large organization.
Managing downwards: How do you close the gap between security and IT?
At the same time, CIOs must look without complacency at their own organization.
Technologists are almost always trained and incentivised to prioritize delivering functionality, often seeing security controls as a pain point or a limitation to their work.
There is no natural cultural fit between security and IT. As a result, information security is rarely seen as a powerful career path – and it can even have the tendency to alienate talent.
The profile of the individual who is going to drive information security across the CIO’s organization and across the enterprise as a whole – the Chief Information Security Officer, or CISO – is fundamental.
Due of the inherent complexity and cross-silo nature of the topic, the CISO must be an experienced executive with a significant management background and gravitas, as he or she will have to build internal respect and leadership in order to be successful.
The CISO will also face the task of addressing the short-term tactical problems that will unavoidably stem from incidents or legacy situations – while driving the medium to long-term information security vision the CIO should be building with executive management.
These are attributes of seniority that are fairly rare, internally or externally. The CIO is not likely to find them amongst young executives, ex-consultants or ex-auditors.
Acknowledging the specifics of the role and finding the right CISO is the second key challenge for the CIO – and the most difficult.
It will take time and may require the personal and political courage to look at current organizational arrangements and restructure them.
The reporting line of the CISO is also essential, with the lack of cultural fit between security and IT being a key element in that respect. In order to be taken seriously across an organization, information security must be seen as a native part of the CIO’s responsibilities – and it is absolutely essential for the CISO to have a direct reporting line to the CIO. Blending information security with the portfolio of another IT executive, or pushing the CISO role further down in the org charts, is simply a recipe for failure – fuelling the de-prioritization of information security matters and further widening the gap between security and IT.
But, with the right seniority and profile, and at the right place in the CIO’s organization, the CISO – who should naturally navigate across corporate silos – can be a very powerful political ally for the CIO.
Managing sideways: How does the CIO lead themselves to success?
Finally, in order to be successful in establishing an effective Information Security practice, the CIO must remain focused and in control of their own cyber security priorities over the medium to long-term.
Where cyber security problems are rooted in decades of adverse prioritization or underinvestment, there can be no quick fix. Change can only take time and relentless drive.
Historically, audit functions have strongly interfered with the control agenda of many organisations and driven numerous tactical decisions – often justified by the absence of any strategic security vision or interest coming from executive management.
Now, it might be other senior stakeholders stepping in, asking for knee-jerk action in response to some high profile data breach happening elsewhere.
The problem is that these people can also lack real life field experience, often causing them to single out arbitrary issues, ignoring the cyber security bigger picture and how complex it can be to get things moving in that space.
These arbitrary issues can confuse priorities, and can easily cause a long-term information security plan to head off on a tangent.
The third challenge faced by CIOs is in tackling this issue. The CIO needs to manage the relationship with auditors and senior stakeholders firmly and intelligently in order to remain in control of the cyber security agenda.
First, the CIO must ensure that all parties are aware of the broader control agenda set for the whole organisation, and of the vital need to work within it.
But the CIO must also have the confidence, together with the personal gravitas and political acumen, to push back on arbitrary issues that do not fit within the broader control agenda.
All this can only work as part of a coherent medium to long-term information security strategy and governance model –unambiguously signed off by all parties.