In an era where technology is not only crucial but also incredibly complex, the CIO faces new challenges every day. But while new attack techniques and complicated, insecure software provide enough strain, seeing eye to eye with the CSO can be equally trying.
As IT and security both play crucial roles in enabling the business, the two must learn to keep in step, despite following a different tune.
The rise of the CSO
The clash of roles begins with the CSO as an emerging role. Much like the days when the CIO could only be found in the data centre, today they work alongside the CEO or COO providing valuable input into business operations.
The same holds true for the CSO, who is gaining wider recognition and authority in business strategy as executives are elevating the importance of information security, meaning CIOs have to take on a more collaborative approach with a new executive voice.
The Global State of Information Security Survey 2014 - a worldwide study by PwC, CIO and CSO - found that executives are now heeding the need to fund enhanced security activities and believe that they have substantially improved technology safeguards, processes, and strategies.
Finding common ground
Technology is a true business enabler and security must be built in at every level of IT to ensure business success. This forever connects the security professional and the IT professional, thus the CIO and CSO become two roles dependent on one another.
But the two factions often have different agendas and methods of how to succeed – the CIO wants to innovate and take risks and the CSO seeks the best way to manage and reduce risk. How then can they form the necessary détente?
Jo Stewart-Rattray, director of information security and IT assurance with BRM Holdich, says the CSO role must become more widespread and holds equal weight as the CIO.
“There’s a whole governance role for information security, not just for IT, so the two are quite separate but there should be reference to each. If there’s a strategy for IT there needs to be a strategy for information security, but there needs to be a dotted line between the two, if you like.”
“The issue is that in Australia we don’t actually see a lot of CSO or CISO roles, and often, it will be someone who actually reports to the CIO, so that of course is a conflict of interest immediately,” says Stewart-Rattray.
While it makes sense to keep the CSO separate from the confines of the CIO's competing priorities, the CSO reporting directly to the CEO or the CFO can also drive a disconnection between IT and information security.
This is why it’s important for the CSO and the CIO to maintain a healthy relationship in which information is frequently shared, says Stewart-Rattray.
“They need to be speaking to one another, there’s no point if that’s an adversarial relationship. They need to look at how they can jointly tackle some of these issues so that the IT guys are not less vulnerable, and that the security people are actually consulted, so that it becomes part of every implementation and project that the implications for security are considered.”
Meanwhile, the CSO reporting directly to the CEO could do more to stymie security progress, where the CIO is more clued into the company’s security requirements.
Overall, respondents to The Global State of Information Security Survey 2014 say that the most significant obstacles to security include inadequate understanding of how future business needs will impact information security, committed leadership, and a lack of an effective security strategy.
“It is troubling that deeply fundamental issues such as the understanding and alignment of security with future business needs and the efficacy of security strategies are among top concerns,” the report reads. “Respondents are also very likely to point to executive leadership, the CEO in particular, as a top impediment to improved security.”
Stewart-Rattray says balancing security risk with business demands requires moving beyond fear and uncertainty. CSOs must accept that they are in the business of accepting risk and make compromises, but in turn CIOs must recognise that things are changing.
“There’s always been this notion that security guys always say no. I think we’re seeing a change in that, I go into some organisations and I do see that happen, but security is supposed to be an enabler of the company, not a constraint,” says Stewart-Rattray. “I’m glad to say that's a bit of an old fashioned view now; security is a lot more involved with working with a business.”
She explains how, during her time touring with the CSO Perspectives 2013 roadshow last year, she and another IT security representative reviewed an IT project, and both advised that a company could implement it as long as the security risks were carefully considered. What was surprising, however, was the attitude of the CIOs.
“The CIOs were actually saying [about the same project] ‘no, don’t do this’ – so I think there’s been a lot of a change. Security professionals have recognised that it’s not about saying no, it’s about how can you make this best for the business, while considering the security impacts.”
Can’t do it alone
In the wake of the Target breach in the US, there’s been a lot of debate regarding what went wrong. In particular the company has been scolded for not having a designated CSO role in place, thus leaving security in the hands of the CIO.
“Who knows whether the breach could have been avoided… but I think it shows a more concentrated and concerted effort if there is a CSO role in place, and it also shows the board of the organisation actually has a commitment to security,” says Stewart-Rattray.
Glenn Welby, director of security for Cisco ANZ, doesn’t deny that it could have made a difference, but agrees that it’s still a simplistic view of a complicated issue.
“Is it too simplistic to say, if Target had a CSO could they have avoided the problem? Perhaps. If the CSO had been there, and understood the nature of the problem, understood the requirements to look at evidence of malevolent malware inside their organisation.
"If they could understand the process for filtering all that and acting on all those things that seem to be problematic, then yes, the problem could have been stopped,” he explains. “We don’t think you can do it on your own.”
When push comes to shove, Stewart-Rattray believes the commonalities between the two roles can overcome any differences.
“Put away the big bats and sit down and talk about the commonalities that you have, not the differences. That’s a better starting point, because if you look at the commonalities sometimes you actually find the differences aren’t as big as you thought, and if you only look at it from a negative perspective to start with, that conversation is doomed,” she says.
Welby believes the element of trust is also crucial for any CIO-CSO relationship.
“We have to develop a relationship with deep trust between the security expert and those responsible for IT strategy … with the CIO telling the CSO: You have an arcane set of skills that I need to understand at a strategy level, and I need to trust at a technical level that you will do the right thing by the organisation.
“Also, gain the CSO’s trust, so they know that IT is backing them and will do the right thing too …success can only be collaborative,” he says.
Lastly, Stewart-Rattray points the finger to HR as to the hiring process involved, as not every CIO or CSO will be as willing to play ball as others.
“There needs to be relationship established between the c-suiters to make sure that they can have those discussions, and that might be about who you recruit for the roles, and about having the right people in place that will be able to work together,” she says.
“There has to be that level of commitment to the organisation - it’s not about he said, she said.”
Read more: Doing business with William Davis of Aderant