CISO Rob LaMagna-Reiter witnessed what goes wrong when a company’s security and IT leaders aren’t on the same page.
A colleague, a CISO at a software development firm, was working with the CIO to move from a traditional waterfall project management methodology to agile. Both the CISO and CIO supported the change, recognizing the need to deliver software more quickly to meet business goals. But they didn’t agree on when and how security staff should interact with developers, and each pushed to work in ways most comfortable for him and his team. The discord led to longer release cycles and missed sales objectives.
“They weren’t aligned in working toward the organization’s best interest,” says LaMagna-Reiter, CISO at FNTS, a global IT strategy and managed services company.
That IT-security disconnect isn’t an anomaly.
The 2018–2019 Global Information Security Survey from professional services firm EY found that 77 percent of organizations still operate with only limited cybersecurity and resilience.
Meanwhile, global technology group ISACA's 2018 Cybersecurity Culture Report found that 95 percent of the responding 4,815 business and technology professionals say there’s a gap between the organization’s desired and actual culture of cybersecurity.
And IDG’s 2019 State of the CIO survey found that only 64 percent of IT leaders say security strategy is integrated with the overall IT strategy, leaving about one-third of organizations falling short of strong alignment between the technology and security functions.
“Most IT and security organizations don’t function well together. They might work well together, they might be nice to each other, but I don’t think they’re getting very far,” says Mischel Kwon, founder and CEO of MKACyber Inc., a Fairfax, Va., company providing cybersecurity consulting services.
Several security leaders say they see organizations struggling to get IT and security on the same page and stay in synch as their enterprises speed ahead with digital transformation initiatives. They see several major roadblocks to alignment that tend to plague many organizations. Here, they discuss the most common obstacles and offer top strategies on how CIOs and CISOs can work to align their resources and priorities to pursue together the same overall enterprise objectives.
Obstruction vs. enablement
One of the most significant, and most frequently cited, roadblocks to IT-security alignment is the perception that the security team can slow down, or even stop, forward momentum, says Sushila Nair, senior security portfolio director at NTT Data Corp. and a board member with ISACA’s Greater Washington, D.C. chapter.
“Cybersecurity developed a reputation as the department of no, so there’s a reluctance to loop in security,” she says.
Moreover, that reputation is deeply rooted in the corporate world, as cybersecurity once had a distinctively siloed role where business and IT worked together to make new things happen with the CISO working to keep everyone and everything safe.
“Historically, security has had different goals than the rest of the [organization],” Nair adds.
Similarly, security executives once tended to offer doom-and-gloom scenarios to justify budget increases and costly investments, says Mario Chiock, fellow and CISO emeritus at Schlumberger, an oilfield services company, and advisor to cybersecurity solutions provider Onapsis. He says this, too, created walls between security, which seemed to fear the worst, and other executives who were more accustomed to balancing risks and rewards when making decisions.
Of course, CISOs cannot dismiss worst-case scenarios from consideration, but leading security professionals say they can learn to more effectively analyze them, better categorize their risks to the business, and more clearly articulate the risks to CIOs and other C-suite colleagues.
This enables them all, as a team, to balance business goals and objectives against those threats and understand which threats are the highest priorities worthy of the most immediate attention.
“Security has to play more of a security risk management role,” says Brian Allen, senior manager of cybersecurity at EY Advisory, noting that CISOs have to be transparent with security information and work with the CIO and business leaders to help define the organization’s tolerance for risk. “The security team is there to serve the business function just like the CIO, so they should be aligned with the strategy and the mission and the long-term planning.”
Identifying problems, not solutions
On a similar note, several experts say the security team’s approach to identifying risks and then alerting IT to vulnerabilities has created a roadblock to better alignment.
“Security gets the role not as the enabler of the business but as the oversight to IT. So security ends up saying, ‘You have X number of vulnerabilities in your server environment,’ or they go to people rolling out the laptops and say, ‘They’re not secure and you need to fix it.’ They take on this ‘You have a problem now go fix it’ reputation,” says Todd Fitzgerald, managing director and CISO with CISO Spotlight LLC, an ISACA cybersecurity expert and author of CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.
Fitzgerald says the most effective and best aligned CISOs are those who work with CIOs to create a joint operation. They cross-train their teams so each side better understands their counterparts’ responsibilities, the parameters of their roles, where there are overlaps and where there are pass-offs on tasks.
Such efforts, he explains, help the security team remember that developers’ primary responsibility is developing code. “It’s not their mission to create secure code; it’s their mission to create code that answers the functionality of the business,” he says.
But it also helps security work with IT to develop more secure code and recognize that when problems arise, they’re both responsible for finding solutions. “Successful CISOs take a ‘we’ approach, [as in] ‘How can we help you do that?’” Fitzgerald says.
Using the wrong metrics
CISOs and CIOs also fail to develop metrics that can help them pull toward common goals.
For example, developers and other IT staffers are most often measured – and rightly so – on speed to market and the success of the capabilities they create, Nair says. However, such metrics don’t incent IT to loop in security. And with such metrics in place, IT workers will just feel annoyed if security sends back problematic code or slows or halts production due to a suspected vulnerability.
Nair and others recommend CISOs and CIOs create environments where security and IT work earlier in the development cycle and work more closely together in other IT areas, such as architecture, so that they can identify and solve security problems sooner to avoid impacting speed to market.
They also recommend that CISOs and CIOs develop metrics that recognize and reward the two teams for balancing speed, functionality and security.
“I’ve seen [organizations] collect metrics around how many problems they found to the left, where it’s cheaper to find and solve problems than when it’s in a live environment,” Nair says. “And by measuring success on finding problems earlier, you’re incenting people to work together to fix problems.”
Kwon advises CISOs to further identify areas where they can work with CIOs to improve and then measure and report on success. They can work together to measure improvements in the functionality of the security operations center – devising metrics around, for instance, the organization’s capability to detect threats and plans on how to increase that capability. Or they can jointly work on measuring and improving time to remediation.
“Shared metrics are a great way to bring people together,” Kwon says. “They also help [the CIO and CISO] understand risks so they can decide what to tackle first.”
Failing to cultivate the right culture
Despite more than a decade of headline-making breaches, many organizations still view security as a nice-to-have and not a priority, experts say. Or they think of compliance as the equivalent of security.
Such misperceptions make it difficult for CISOs and CIOs to align on security investments.
In fact, the ISACA cybersecurity report found that the primary factors inhibiting a strong culture of cybersecurity relate directly to these misperceptions, with 41 percent calling out a lack of employee buy-in, 39 percent blaming disparate business units, and 33 percent citing no set key performance indicators or business goals in this area as barriers.
An organization that doesn’t understand or appreciate security won’t be able to adequately identify and prioritize risk, nor articulate its tolerance for those risks based on business goals and objectives, says Kayne McGladrey, director of security and IT for Pensar Development and a member of the professional association IEEE (The Institute of Electrical and Electronics Engineers).
“The CIO won’t see the business impact if there’s not a culture of risk mitigation,” McGladrey says. “A culture where security is seen as someone else’s problem will derail any conversation around security, so the biggest thing for CISOs is to make the conversation with CIOs around risk – not around technologies or shiny objects but around risks to the business.”
Organizational challenges
The CISO's relationship to, and with, the CIO can be another big stumbling block to good alignment in an organization, according to multiple security, IT and management leaders. They say misalignment often happens when the CISO does not have an equal voice in the enterprise and when the security function is not able to guide or even have discussions with other executives and the board to establish the enterprise’s tolerance for risk.
Such situations are much more likely to lead to CISOs and CIOs having competing priorities that push them apart rather than help them align toward common objectives, LaMagna-Reiter says.
“Alignment between those two roles means they're working toward upholding the same objectives, but they have to know what priorities they have and they have to agree on the allocation of resources,” he says. “And they each have to have responsibility for where the organization is going, how they’ll contribute to organizational strategies and the priorities and how they’ll collaborate to make all that happen.”
Furthermore, both the CISO and the CIO need to communicate those shared priorities to their staff, LaMagna-Reiter says. “Nothing can throw alignment into array more than when the teams hear different messaging from their leaders,” he adds.
Some experts say the CISO, like the CIO, should report to the CEO, as that ensures equality and therefore alignment of priorities. Others, however, say organizations where the CISO reports to CIO are better structured for alignment as the CISO and CIO are then working in tandem. Some experts, however, say either scenario can help or hinder, depending on the overall culture of an enterprise.
That said, experts do offer some common thoughts on the CIO-CISO relationship that transcends the who-reports-to-whom issue. They say the two positions should have clearly defined roles and responsibilities around issues such how security technologies are selected, how security issues are resolved, and how to handle and escalate disagreements.
Joe Nocera, a principal in the financial services cybersecurity practice at professional service firm PwC, says CISOs and CIOs should work toward having a shared set of facts and using those facts to ensure transparency into each other’s operations – both elements that help build the trust that’s essentially to working together.
“Often when we see misalignment it’s because one or both of the parties don’t have all the information needed to come to reasonable decisions,” he adds. “So it really does help to make sure you’re speaking the same language, that you’re sharing the same facts. But it also comes down to the relationship, to trust. It’s having reliance on the fact that you each trust that the other has the best interests of the organization at heart and are presenting accurate information and will do what you say you’re going to do.”