Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/5/2019
10:30 AM
Leo Taddeo
Leo Taddeo
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

CISOs & CIOs: Better Together

An overview of three common organizational structures illustrates how NOT to pit chief security and IT execs against each other.

For certain critical IT deliverables, CIOs and CISOs embody the inherent tension between cybersecurity and operational requirements. Where the CIO is charged with delivering efficient IT infrastructure at low cost, the CISO is charged with ensuring that the same IT infrastructure operates within the risk tolerance parameters set by the board and CEO. Organizational structure has a lot of influence over how these functions operate and interact, and it can either exacerbate power struggles or facilitate alignment. Let's look at three common organizational structures and how CIOs and CISOs can work together to achieve their objectives.    

Most Challenging: CIO controls CISO budget and rates CISO performance
When the CISO reports to the CIO, the onus is on the CIO to decide whether to fund and support cybersecurity initiatives, or the core deliverables that the CIO is charged with delivering. If a compromise has to be made, the CIO may be tempted to sacrifice security over functionality or infrastructure improvements.

This reporting structure can create an environment that discourages the CISO from fully disclosing risk to the CEO and board. In other words, CISOs who answer to CIOs are more likely to shape their message to please the boss.

Advice: Create a safe environment where honesty is valued
A CIO must make it safe for the CISO to be honest without fear of retaliation, and in turn, the CISO must have the courage to trust the CIO and communicate openly about risk. CISOs are responsible for helping CIOs understand risk and making it easy for them to mitigate that risk. If the CIO chooses to ignore the risk and can't articulate why, then the CISO must be prepared to escalate the issue to other executives and/or risk owners.

Better: The CIO and CISO are separate roles, reporting to different execs
When the CIO and CISO report to different executives, some of the challenges discussed above are removed. But tension can arise between the two missions at an abstracted level. The lack of patching of the Apache Strut vulnerability that led to the Equifax breach of 2017 illustrates the point. As Richard F. Smith, the CEO of Equifax, explained to Congress:

On March 9, Equifax disseminated the U.S. CERT notification internally by email requesting that applicable personnel responsible for an Apache Struts installation upgrade their software. Consistent with Equifax's patching policy, the Equifax security department required that patching occur within a 48-hour time period. We now know that the vulnerable version of Apache Struts within Equifax was not identified or patched in response to the internal March 9 notification to information technology personnel.

While it's not clear why IT personnel did not patch the vulnerability, it is clear that the warning from the cybersecurity department and the security patching policy were not followed. This type of breakdown is more likely to occur where the IT personnel report up to a CIO and the cybersecurity personnel report to the CISO with separate sponsoring executives. Neither has complete and unambiguous responsibility for patching, which is not conducive to decision-making.

Advice: Rise above the conflict
In this scenario, the CISO and CIO must be careful not to amplify whatever misalignment exists between the executives above them. A good CISO and CIO will be "bigger" than the roles they're in and decide between themselves what's best for the business. The priority should be visibility and effective execution, even if it means compromise. Constant, open communication in this scenario is crucial.

Best-Case: Separate roles reporting to a single executive
Ideally, the CIO and CISO are two separately-defined peer roles that report to one executive responsible for delivering a secure IT environment that supports the business strategy. This helps ensure that the CIO and CISO have mutually complementary requirements. When a disagreement arises, one executive is accountable for making a decision that is beneficial to the business.  

Advice: Maintain transparency across the organization
Everyone needs to be on the same page when it comes to evaluating and prioritizing different types of risk (information security, operational, and financial). Ideally, transparency and healthy communication exist across the environment. When there's transparency across all types of risk, the business can make high-level executive decisions regarding which ones to transfer, mitigate, and assume. The CISO isn't in a position to minimize or overstate risk. Everyone puts their cards on the table, and decisions are made based on what's best for the business.

To be successful in their missions, CIOs and CISOs must be in alignment. A vulnerable IT infrastructure won't withstand today's threats, and without an IT infrastructure, there's nothing to secure. At the end of the day, it's about enabling the business, and that can only be done together.

Related Content:

Leo Taddeo is responsible for oversight of Cyxtera's global security operations, investigations and intelligence programs, crisis management, and business continuity processes.  He provides deep domain insight into the techniques, tactics and procedures used by ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.