As cybersecurity risks increase, it has become essential for CIOs to collaborate with CISOs more than ever. But most enterprises struggle to get them on the same page
Many enterprises struggle to get IT and security on the same page, which, over a period of time, leads to a decrease in the pace of digital transformation and overall growth.
Experts believe that most IT and security organizations do not function well together. Several security leaders find it challenging to get IT and security in sync as enterprises pace up digital transformation initiatives. There are significant roadblocks to aligning the CIO and CISO together to pursue the same overall enterprise objectives.
According to the 2018–2019 Global Information Security Survey report by EY, 77% of organizations still operate with limited cybersecurity and resilience. ISACA’s 2018 Cybersecurity Culture Report concurs, saying that 95% of the responding 4,815 business and technology professionals believe that there is a gap between the organizations’ anticipated and actual cybersecurity.
The one assumption that causes barriers to IT-security is the idea that the security team can slow down the momentum or business. This is because Security leaders over the years had the tendency to offer doom-and-gloom scenarios to justify their investments, creating walls with other teams as they were considered to be the ones who fear the worst.
Experts believe that though worst-case scenarios cannot be dismissed, CISOs need to more effectively analyze the situations, categorize their risks to the business, and have more clarity while articulating the risks to CIOs. Involving the CIOs will enable CISOs to balance business objectives and allocate budgets and decide which threats are worthy of attention.
The ideal situation according to experts is when CISOs work with CIOs jointly on operations and even cross-train their teams so that each member better understands their counterparts’ responsibilities, parameters of their roles and work overlaps. This helps the CISO and their teams to realize that developers’ primary responsibility is developing codes that answer the functionality of the business, and adding security is not a priority for them. Here is where the security team can work with IT to develop more secure codes, and when problems arise, both can work on finding solutions. Experts call this the ‘WE approach.’
The problems in aligning CIO and CISO also lie in the way the company sees security. For many firms security is still a ‘nice-to-have thing’ and not a priority. Experts believe that seeing security as someone else’s problem derails the conversations around security risks. The ISACA cybersecurity report says that primary factors that hinder an influential culture of cybersecurity relate directly to misperceptions. As per the report 41% of business and technology professionals’ call out a lack of employee buy-in, 39 % blame disparate business units while 33% cite no set key performance indicators in this area as barriers to creating a security culture.
A significant reason for misalignment is also that CISO does not have an equal voice in the enterprise. Since security is not a function that can guide the enterprise ahead, this reduces the talks of CISOs with other executives and the board to members giving them less opportunity to discuss risks. These situations lead to CISOs and CIOs having competitive priorities, which push them apart.
Experts say that each of them needs to have responsibility for where the organization is going and how to contribute to organizational strategies. They are expected to set priorities accordingly and collaborate. Experts also point out that communicating this to their staff is critical since nothing throws alignment out of gear more than when the teams hear different messages from their leaders.
Experts believe that the two positions should have their roles and responsibilities clearly defined around issues like how security technologies are selected and how security issues are resolved.