Part one of a two-part series
Recent global cyberattacks have provided a fresh reminder of the importance of ensuring organizations are defended against cyberthreats and that businesses are well prepared to respond to incidents. The risks aren’t new, but they are growing more pervasive. They threaten businesses, governments, and institutions of all sizes.
However, the chief information officer (CIO) and the chief information security officer (CISO) often are given conflicting priorities and pressures, creating natural friction that can get in the way of such an integrated strategy. - Read more at @NETSCOUT
As businesses roll out plans to balance the needs of employees returning to the office with those continuing to work from home, both the network operations and security operations teams face increasingly complex puzzles. To solve them, many companies are asking those teams to work together to build a consistent and complete response to incidents and attacks. However, the chief information officer (CIO) and the chief information security officer (CISO) often are given conflicting priorities and pressures, creating natural friction that can get in the way of such an integrated strategy. In “Aligning IT and Cybersecurity,” a recent WSJ Pro Cybersecurity webinar sponsored by NETSCOUT, a panel of experts delved into the primary underlying factors.
“CISOs grapple with key decisions around data loss prevention, malware, antivirus, and encryption, and the administration of security controls and policies used to protect the business,” explained Mark Thomas, president of Escoute Consulting. “At the same time, CIOs are asked to ensure the performance of systems and services, and as a result may not prioritize security concerns. This may put their objectives at cross-purposes.”
The panelists noted several common points of friction between IT and security teams:
- New reporting structures. One of the most common reasons for friction between IT and security is changes in reporting structures. “Today, many CISOs no longer report to CIOs, instead having direct responsibility to CEOs and sometimes even the board of directors,” said Thomas. “While this change in reporting structure can be beneficial, it can also be a source of friction when CIOs and CISCOs have conflicting agendas.”
- Budget battles. Another critical source of friction is the battle over budget. “The CIO’s role is to deliver services quickly and efficiently for the business, while the CISO’s role is to try and protect vital information,” added Vontage Senior Vice President Sanjay Macwan. “All too often, CIOs and CISOs are competing with each other for the same budget resources, pitting their respective interests against each other for finite funds.”
- Compliance control. As organizations work to meet control requirements created by new rules and regulations, the question becomes, who owns the controls? As controls proliferate, ownership of those policies and procedures can become another point of friction between CIOs and CISOs. Again, the challenge here is effectively balancing performance and conformance—assuring efficiency, yet achieving security at the same time.
The Ripple Effect
Ultimately, the lack of alignment between IT and security professionals can resonate far beyond the data center.
“The ability to meet the demands of today’s evolving work environment, while minimizing security risks, will depend largely on how well IT and security teams work together and become fully aligned,” concluded Okta CIO Alvina Antar. “By building stronger relationships between these teams, clarifying roles and responsibilities, CIOs and CISOs can reduce the friction, setting cybersecurity policies and implementing an IT strategy that achieves the mission-critical objectives of the organization.”
In our next post, we will continue this discussion, delving more deeply into ways CIOs and CISOs can work together to increase alignment for delivering much-needed performance and security.
Watch the webinar: “Aligning IT and Cybersecurity”