As a CIO, your efforts to shore up cybersecurity are critical.
Due to the widespread reliance on technology, exponential increase in remote work, complexity of modern networks and proliferation of advanced threats, organizational security is more challenging than it's ever been. Despite that, the pressure is on to get security right every time.
When overall business resilience falls under your domain as the CIO, managing all the necessary tasks to create strong cybersecurity can seem insurmountable. These challenges are especially evident if you don't have all the right people on your side.
As the IT leader of a business, you don't want to overpromise or make guarantees that all is well with security. But you need to address how the business can foster security, along with a checks-and-balances system, to ensure you're doing what's necessary to minimize the impact of security events.
One complicating factor is the reality that your role -- as with most CIOs -- is likely not straightforward, especially as it relates to security oversight.
Why the CIO's role in cybersecurity is so complex
Today's CIOs can welcome new opportunities, but they also face a vast array of new challenges. Some challenges are technical; some challenges are operational. But many challenges -- arguably most -- have to do with people and politics, and those challenges aren't so straightforward to solve.
All too often, CIOs must address every single IT initiative. However, attempting too many complex projects at once can create distractions that disable security measures. While security requirements are often a part of the project discussions, baking in true resilience rarely occurs. There just aren't enough resources to make it all happen as smoothly as it should.
Further exacerbating the challenge of strengthening security, CIOs must execute a unique balancing act that few understand or appreciate. Compared to other executives involved with security, such as the CISO or chief risk officer, the CIO must make IT work, while also making security work.
Take, for example, a CISO with a critical to-do item, such as implementing a new patch management system or a new security incident and event management system. The CISO can focus solely on improving security.
However, when a CIO has a critical to-do item, such as upgrading the ERP system or deploying a new customer-facing application, they must balance specific business needs with technical and security requirements. These variables can make the overall endeavor much more complicated.
I've seen firsthand the CEO and other business leaders not fully comprehend what the CIO is up against. They need to understand and appreciate the CIO's efforts to make IT both functional and secure. This lack of empathy can quickly cascade into something more serious. For example, a CIO might not receive financial and political support for proper security controls and oversight.
Creating an integrated, well-functioning and secure enterprise technology ecosystem requires solving technical problems -- and nurturing soft skills. If all CIOs had to do was address technical issues, there would be minimal stress and maximum security. However, balancing people and business factors at the same time changes the situation. Many misunderstandings surrounding the CIO's role in the company come from poor communication and a lack of strong relationships. All it takes is a poor relationship with the CISO or insufficient security buy-in and vision from other business executives and stakeholders to see this problem play out.
The CIO's enterprise cybersecurity duties
One of the most critical aspects of well-run IT environments and resilient security programs is ensuring that both the CIO and CISO understand the security expectations top leadership has of them. The following are examples of what oversight might look like in terms of a CIO's security responsibilities:
- Install and oversee the proper technologies needed for internal technical controls. This duty requires design, implementation and ongoing support to help with existing security policies and procedures and other potential areas of opportunity.
- Serve on the security or enterprise risk management committee. This duty requires providing IT infrastructure and business-related insight into the risks identified by the security and compliance teams, along with how current and future IT initiatives can help to support ongoing security requirements.
- Assist with incident response efforts. This incident response duty involves working closely with the security and legal teams to appropriately respond to and recover from security events.
- Ensure that the enterprise embeds security controls throughout. This duty requires understanding both known and potential risks and strengthening relationships with other executives to bridge the gap between business and security.
- Monitor vendors for proper cybersecurity controls. This duty requires the intake and review of security questionnaires or similar vendor management efforts for existing and future IT-related vendors.
These potential responsibilities are informed generalizations since the CIO's vs. the CISO's purview depends on the organization's needs. There could be an overlap between the CIO and CISO in some or all the above efforts. The division of labor comes down to company direction, skill sets and general preference.
What is important: The CIO and CISO must form a partnership, discuss each role's scope and document expectations.
A CIO's relationships key to cybersecurity
If you're a CIO charged with maximizing security outcomes while, at the same time, ensuring projects are implemented and everything "just works," focus on strengthening your working relationships with those who can help you. That might be the CISO. It could also be the COO, CFO or the other members of an enterprise risk management team, such as the chief legal counsel.
Security is about obtaining and maintaining buy-in over the long haul, and it's key for those who need help understanding it.
As a CIO seeking to gain security buy-in and help with the responsibilities, share tangible business risks that tie into security threats and vulnerabilities. Whether those issues are technical or operational, be specific about how they have created risks for the enterprise.
Next, propose potential responses to each risk, and solicit feedback from executive peers on what makes the most sense to them. Avoid overloading them with too many details because you assume that's what they want to hear. Remember, everyone has priorities and challenges specific to their roles. Your priorities most certainly won't be theirs.
Instead, ask them what they need to make an informed decision. That's it -- ask them. You'll initiate some good dialogue and likely get some great ideas out of the conversation.
Communication can be a difficult task for many IT professionals. But showing vulnerability and asking others for help are some of the best ways to nurture strong relationships, generate new ideas and solve big business problems. Furthermore, people working outside of IT can often bring a fresh perspective to technical challenges.
Many people assume that information security (infosec) and cybersecurity are IT's problems to solve, but security should be a collective effort that cuts across departments. Similar to finance, operations and HR, infosec touches virtually every aspect of the business. As you've likely heard, a CIO must solve problems at a higher level than when they were created. That's the task.
Focus on communication and fostering relationships so that others can help you, the CIO, solve these business challenges.