Linh Lam, CIO, Jamf, says there must be a shift in mindset so that IT and security teams regard each other as partners.
IT and security have long been the frenemies of the corporate world. While the two departments focus on the organization’s technology, they have very different priorities that often put them in conflict.
CIOs and their IT teams are focused on delivering digital services, whether implementing new projects or ensuring reliable uptime for existing systems. Their eyes are fixed on boosting competitive advantage and maintaining customer satisfaction – so speed is of the essence.
In contrast, CISOs and their security teams are ultimately responsible for keeping the enterprise safe from cyberthreats. This means they spend much of their time finding and fixing the privacy and security risks in the same digital services the IT team are working on so fervently.
The conflicting goals mean the security team is often cast as the ‘Department of No’ – the naysayers always finding objections and putting up roadblocks to progress. The IT department, meanwhile, can be seen as overly reckless, throwing caution to the wind and inadvertently increasing cyber-risk in pursuit of their goals.
The issues have become more pronounced as keeping ahead of the technology curve has become more important. IDC estimates worldwide spending on Digital Transformation will hit US$3.4 trillion by 2026, and CIOs are under intense pressure to get their enterprises ahead of the competition.
Simultaneously, security has climbed to the top of the corporate agenda. With IBM’s latest Cost of a Data Breach report estimating the average global cost at US$4.35 million, no organization can afford to take cyber lightly.
Additionally, CISOs have begun to catch up to CIOs as influential business leaders, undergoing the same transition from technical specialist to innovator and revenue generator.
Gartner reports CISO’s have become ‘key enablers of digital business and are accountable for helping the enterprise balance the associated risks and benefits’ due to their role in measuring, prioritizing and improving the enterprise’s security posture.
With IT and security often already at odds, this expanded role could lead to more conflict as the two departments compete for budget and boardroom attention.
Alternatively, IT and security could work together, complement each other’s capabilities, and pool their talents to help their company unlock digital opportunities without inviting in cyber-risk.
So how do we get these two departments on the same page again?
There must be a shift in mindset so that IT and security teams regard each other as partners.
The IT department needs security because, while speed is important when developing and deploying applications, it must not jeopardise the organization’s cyberdefenses. Celebrations for a short development cycle and successful product launch will be undermined if leaky security causes a significant breach.
Meanwhile, security teams should consider their IT counterparts a telemetry system for cyber-risk. Working closely with the IT department will give security pros more feedback and insight into the workforce’s security and productivity needs.
Cultural change generally comes from the top down, so CIOs and CISOs need to take the lead in opening up communication and collaboration.
CISOs can slot into the business hierarchy in multiple ways. A study by PwC found the majority (40%) of CISOs now report to the CEO. Other common options are for the CISO to report directly to the board or the CIO.
Having both the CIO and CISO report to the CEO is thought to help reduce friction since it puts the departments on equal footing.
On the other hand, in some situations it makes more sense for the CISO to report to the CIO. Let’s say we have a CIO that has made a name for themselves as a strategic business leader, and understands that risk management, especially cybersecurity, is critical to success.
Alternatively, if the business is an industry with substantial regulatory obligations, such as a retailer working under PCI DSS or a financial firm looking to comply with CBEST, reporting directly to the General Counsel’s office makes sense.
There is no one-size-fits-all model, and every firm should explore the structure that aligns with their security objectives and imperatives.
Divisions often arise because security is often perceived as the final step. IT may feel they’ve worked hard to produce some fantastic new software, only for the ‘Department of No’ to spring into action with their red pen to cause delays and headaches.
Or perhaps the security team feels they have been forced to scramble around and find a solution that will keep a critical new piece of architecture from causing catastrophic security issues. No one told them about it until a few days before the launch date.
Both teams feel wronged by scenarios like this, and these late-stage conflicts will only harm the company they’re both working to improve.
Instead, IT and security need to work closely together from the beginning, from application ideation to architecture design, right through to the final review stages.
This means all the due diligence around vulnerabilities and risk exposure will be completed initially and security will be baked into the resulting product or project. This is exemplified in the DevSecOps approach with security being interwoven throughout the development lifecycle rather than being a final hurdle.
Security demands have changed drastically, and the CISO role must evolve to match.
In today’s more complex digital world, security has moved away from pure technology to merge with organizational risk management. Cyber-risk intersects with every element of the organization, so it must be treated as a strategic business function rather than a niche technical concern.
As such, CISOs must be able to function as central leaders in combating risk across the business. This means having a seat at the table and being free to work alongside their CIO counterparts, not against them.
With CIOs and CISOs working at the same level, from the same page, IT and security can finally bury the hatchet and work together as they help their organization on its Digital Transformation journey.