The CIO's role in strengthening information security
The CIO is critical for ensuring strong cybersecurity within the organization. Learn why the CIO's role inherently makes that difficult, and how to overcome obstacles.
These are trying times for IT professionals. With such a reliance on technology combined with so many people now working remotely, the organization's security hangs in the balance like never before.
There's not only pressure to perform but to get security right every time. Ensuring good network and system security is tricky enough for technical staff. When overall business resilience falls under your domain as the CIO, it's even more to take on and can seem insurmountable.
As the IT leader of a business, you don't want to overpromise or make guarantees that all is well with security. But you will need to address how the business can foster security and how you can ensure that it happens. An underlying factor complicating enterprise information security is the reality that your role -- as with most CIOs -- is likely not very straightforward.
The CIO and enterprise information security challenges
I work with a lot of CIOs and see so many of the challenges they face. Some challenges are technical. Some challenges are operational. But many have to do with people and politics.
All too often, CIOs are tasked with addressing every single IT initiative. However, when so many projects are taking place at once -- with many of them mired in complexities -- it creates distraction that effectively disables security.
Further exacerbating the challenge of strengthening security, CIOs must execute a unique balancing act that few understand or appreciate. When compared to other executives involved with security, such as the chief information security officer (CISO) or chief risk officer (CRO), the CIO must make IT work while also making security work -- and IT and security are often at odds with one another.
I've seen firsthand where the CEO and other business leaders don't fully comprehend what the CIO is up against.
Take, for example, a CISO who has a to-do item such as implementing a new patch management or implementing a new security incident and event management system. That CISO can focus on improving security. When a CIO has a to-do item, such as upgrading the ERP system or ensuring that a new customer-facing application is deployed, they must balance very specific business needs with both technical requirements and security requirements. The endeavor is more complicated.
I've seen firsthand where the CEO and other business leaders don't fully comprehend what the CIO is up against. They don't understand or appreciate the difficult work of making everything function on top of also being secure.
Creating an integrated, well-functioning and secure enterprise technology ecosystem requires solving tech problems -- and developing soft skills. If all CIOs had to do is address technical issues, there would be minimal stress and maximum security. Once people and business factors come into play, though, that changes things. The misunderstandings associated with the CIO's role often come down to poor communication and a lack of strong relationships.
Strong cybersecurity requires good communication
If you're a CIO charged with maximizing security outcomes, while at the same time ensuring projects are implemented and everything "just works," focus on strengthening your relationships with those who can help you. Security is about buy-in, and it's especially important for those who don't fully understand it.
As a CIO seeking to gain security buy-in and help with the responsibilities, focus on sharing tangible business risks you can tie to security vulnerabilities. Whether those issues are technical or operational, be very specific in how they have created risks.
Next, propose the solutions to solve each of the risks and solicit feedback from your executive peers on what makes the most sense to them. Avoid unloading a thousand details on each of the issues you're dealing with and assuming that's what they want to hear.
Instead, ask them what they need to make more informed decisions. That's it -- just ask them. You'll most certainly initiate some good dialogue and likely get some great ideas out of the conversation. It can be a difficult task for many of us IT professionals. But simply showing some human vulnerability and asking others for help is one of the best ways to foster relationships, generate new ideas and solve big business problems.
Many people assume that information security is IT's problem to solve. Security should be a collective effort that cuts across departments. Similar to finance, operations and legal, information security touches virtually every aspect of the business. As you've likely heard, you must solve problems at a higher level than which they were created. That's your task.
About the author Kevin Beaver, CISSP, is an independent information security consultant, writer and professional speaker with Atlanta, Ga.-based Principle Logic. Author of the best-selling book Hacking For Dummies, he specializes in vulnerability and penetration testing, security program reviews and virtual CISO consulting work.