When it involves cybersecurity, organizations often walk a tightrope. Of course, they need the strongest defense possible. At the same time, nonetheless, they don’t desire solutions to overburden employees with intrusive security requirements that decelerate productivity.
An ideal example is multi-factor authentication, or MFA. While it has been proven to be a strong deterrent against the growing variety of identity-based attacks, many organizations are slow to adopt common sense security protocol because employees I hate the extra steps required to log into repeatedly used systems.
Managing the delicate balance between security and performance often rests with the CIO and CISO. And as cybersecurity increasingly becomes an enterprise-wide risk, compounded by recent threats which will emerge as a results of the anticipated rise of artificial intelligence in most firms, CIOs and CISOs must work closer than ever to make sure the protection of their company’s IT assets – with the least possible disruption to finish users.
For many years, organizations often viewed cybersecurity as a “tick a box” feature. Companies could do the bare minimum to satisfy standards like those developed by the National Institute of Standards and Technology (NIST). However, in the face of rapid growth in each cases frequency and form of eventsorganizations are now aware of the potential financial and reputational risks of a cyberattack.
Countdown to VB 2024 transformation
Join enterprise leaders in San Francisco July Sept. 11 for our flagship AI event. Connect with your peers, explore the opportunities and challenges of generative AI, and learn how to integrate AI applications in your industry. Register now
And in the same way that the Enron scandal two a long time ago ushered in a recent generation of compliance requirements for businesses, elevating the CFO’s role to greater importance at the executive level, the increasing frequency and intensity of cyberattacks today is shining a greater highlight on the CISO.
And yet, as many CISOs take on more risk and compliance responsibilities, it is imperative that security professionals learn to work more closely with the CIO, whose team owns many security practices and procedures.
Understand this division
While CISOs spend their days worrying about detecting a cyberattack and recovering from a cyberattack they know will inevitably occur, CIOs could also be too distracted to totally absorb such risks. Instead, they think about how to modernize the company’s infrastructure and ensure greater productivity of the workforce. Increasingly, the CIO’s task is to administer the organization’s AI strategy.
As a result, it is not unusual for these two roles to conflict. CIOs are typically inundated with worker complaints about any additional steps (similar to MFA) that separate them from the work they should do. At the same time, the CIO must understand how changes that might increase productivity can create serious security risks.
For example, if several employees are recording a videoconferencing session, there are now multiple files, possibly stored in different locations, containing potentially confidential information. Considering the variety of video calls that are prone to happen in a large enterprise on any given day, it is easy to see that the resulting security vulnerabilities could grow to be a major problem for CISOs.
Hire the right CISO for your organization
For the CIO-CISO relationship to work, firms also need to grasp what skill set they currently require from CISOs and the form of expertise that shall be needed to maneuver the organization forward.
For example, even most mid-sized organizations may not yet be making cybersecurity a priority. They obviously understand the seriousness of the threat landscape. However, their risk management committees may focus on other issues, similar to supply chain diversification to make sure future manufacturing capabilities, quite than focusing on IT security.
In this case, it will be clever for the organization to rent a CISO who would take a recent focus on the technical features of protecting the company’s IT environment and developing a data recovery plan in response to the inevitable attack. However, once a company reaches a certain size, investors will begin to demand that cybersecurity be treated as an enterprise risk, elevating the issue to a board-level issue. And that is when a company should consider hiring a CISO who has more compliance experience.
Once the right candidate is found in the organization, the CIO also needs to be certain that the CISO is arrange for success. For example, if the CISO’s top mandate is focused more on enterprise risk management, the company should hire a deputy chief information security officer (we call him or her “lower case”) – someone whose job is solely to administer the technical side of the defense operation.
This way, the CISO can as a substitute spend more time aligning with the CIO on a broader cybersecurity strategy and communicating those plans to other leaders, including the board. Meanwhile, a “ciso” can cope with the day-to-day work, maybe even coding on their very own.
Connect the CISO with the company
CISO can be a difficult position. The typical mandate – to guard increasingly complex and widely distributed IT environments – is extremely broad. At the same time, CISOs have little control over the domain. They must work across the enterprise and gain buy-in from several key stakeholders to implement the obligatory procedures and policies.
Often, CISOs face stiff resistance from the business, especially if the security chief desires to implement measures that can impact business unit leaders and their teams’ acclimation to the work. Therefore, the CIO must be certain that the CISO has direct contact with the appropriate leaders, whether that is the CMO, CFO, global head of sales, or any other role with the appropriate executive leader.
And while the CISO won’t have the final authority, division leaders should take the chief security officer’s recommendations seriously. The CIO can support these efforts by working with the CISO to agree on what to implement.
Empower the CISO to steer during attacks
When it involves basic operational issues, similar to a cloud storage center failure, the CIO should take the lead. However, when a cyber incident occurs, the CISO should have the authority to execute an established response plan to make sure timely and accurate recovery with minimal downtime and data loss.
But CISOs also have to know where their power ends. For example, in the event of a ransomware attack, the decision to pay will ultimately be made by other industry leaders, similar to the board of directors and the CEO.
The rise of artificial intelligence and the drive to create a digitally connected company are bringing recent attention to the debate between increased productivity and increased security risks. Tipping too much in one direction can expose your organization to more attacks or make it significantly harder for employees to do their jobs. In each cases, the company will ultimately suffer.
The divisions between IT and security are rapidly disappearing; organizational barriers in the company should look similar. And as technology drives more and more core business functions, it’s as much as CIOs and CISOs to learn how to maintain IT on the proverbial swing.
.
Data decision makers
Welcome to the VentureBeat community!
DataDecisionMakers is a place where experts, including data scientists, can share data-related insights and innovations.
If you would like to read about revolutionary ideas and current information, best practices and the future of information and data technologies, join us at DataDecisionMakers.
You might even consider writing your personal article!