Former US President Harry Truman once said, “It is amazing what you can accomplish if you do not care who gets the credit.”1 Familiar tropes such as this run rampant in conversations among cyberleaders about the many moving parts it takes to ensure a successful cybersecurity program. Cybersecurity leaders are aware of the talent, resources, and culture needed to adopt a cybersecurity strategy across an enterprise, but what is often unspoken is the reliance the information security team must have on the IT team.
The information security team often finds itself in charge of the security vehicle in an enterprise. It is well understood that designing a vessel that fits the needs of the organization, is affordable enough to fit the budget, and can be easily supported by personnel is a complex challenge for many organizations. One often-neglected requirement is the fuel needed to power the vehicle. The IT operations team provides the fuel that helps the information security team reach its destination.
Many organizations clearly delineate the responsibility of security posture versus technology availability between two leaders, but there is often an imbalance of autonomy and authority for leaders to progress their own agendas.
A study performed by IANS Research, an information security research and consulting firm, found that out of more than 500 chief information security officers (CISOs), 46% reported to a chief information officer (CIO) and 15% reported to a chief technology officer (CTO).2 Although there are some advantages of such reporting arrangements, they often lead to an imbalance of power because resource allocation for IT and security are controlled by a single individual. This can create a conflict of interest because initiatives for technology (e.g., reducing resources and prioritizing objectives such as cloud migrations) can reduce the human capital needed to implement security initiatives in the technology stack. Current and future generations of cyberleaders should look to collaborate with their IT peers to elevate their cybersecurity strategies.
Bridging the Gap
One of the foundations of cybersecurity is the equal prioritization of confidentiality, integrity, and availability. Technology teams (assuming a logical split between technology and security) often focus on the availability of the technology stack. For example, if a control is presented that would impact availability in critical line-of-business applications—such as multifactor authentication (MFA) or role-based access—it puts the technology team in conflict because it can create more overhead in maintaining availability. Many organizations clearly delineate the responsibility of security posture versus technology availability between two leaders, but there is often an imbalance of autonomy and authority for leaders to progress their own agendas. CISOs often experience stress stemming from “the lack of authority to implement best practices across the company and the lack of visibility at the top on some of the issues that keep them up at night.”3 If the stressors of resources (or lack thereof) and visibility are risk factors for CISOs and cybersecurity leaders, the CISO should communicate the risk to peers across the organization and seek their support.
Leaders enable paths to success by forming strategic partnerships and accountability in their organizations. This means working with and alongside IT leaders to identify resources and responsibilities surrounding enterprise cyberoperations. Cybersecurity leaders can leverage their cyberstack inventories and determine shared responsibilities with technology leaders and their respective teams. Creating transparency by clearly defining objectives and discussing responsibilities, such as maintaining endpoint encryption or mobile device management platforms, can reduce risk and help eliminate the barriers in security operations. When the reporting structure for security operations falls within the IT department, cybersecurity leaders can capitalize on that by defining responsibilities and specifying resources necessary from technology peers to reduce risk to the organization and ensure that appropriate resources are allocated to key objectives.
Direct Lines of Communication
No matter what the organizational structure is in terms of information security, key results must be delivered. Security leaders are more centerstage than ever as cybersecurity risk reaches executive agendas and becomes increasingly visible to boards of directors (BoDs).4 Security leaders commonly struggle with the lack of visibility of identified threats to key stakeholders, but visibility is necessary to allocate the right resources and achieve a resolution. Security leaders can make significant progress with merely a few conversations that have the potential to pay dividends. What organizations should implement, and what security leaders should campaign for, are topics for closed meetings to discuss threats and operational issues directly with the BoD or key stakeholders. On the surface, this may sound like it would only increase stress, but it can help bring necessary attention and support to threats that may have not been previously addressed with supervisors due to conflicts of interest. This strategy can serve as a tiebreaker when considering disagreements over resources allocated to reduce security risk or pursue IT priorities.
Information security is a team sport that transcends the responsibility of those with security-related titles.
Another opportunity to enable organizational transformation is reserving time for office hours to discuss concerns with any leader or stakeholder within the organization. Leaders can create a reservable meeting on a recurring basis, welcoming people to discuss topics one-on-one. This creates an opportunity to hear from those who may have not had the opportunity to share their concerns or to get the attention they feel they deserve.
Conclusion
Ultimately, information security is a team sport that transcends the responsibility of those with security-related titles. As the cybersecurity landscape evolves and thought transformations take place (e.g., the rise of concepts such as zero trust and bring-your-own-device [BYOD] policies), strategic partnerships and collaboration among IT and security teams become increasingly important. Security leaders should seek to form alliances with technology peers and leverage vertical support from executives to allocate resources to both sides. If transparency is enabled and discussions take place about the roles technology teams play to contribute to the success of the security vehicle, operational deficiencies due to poorly attributed responsibilities can be eliminated.
Endnotes
1 Truman Institute Library, “Truman Quotes,” http://www.trumanlibraryinstitute.org/truman/truman-quotes/page/5/
2 IANS, “What Is the Ideal CISO Reporting Structure?” 10 March 2023, http://www.iansresearch.com/resources/all-blogs/post/security-blog/2021/04/29/what-is-the-ideal-ciso-reporting-structure
3 Plumb, T.; “The Great CISO Resignation: Why Security Leaders Are Quitting in Droves,” SDxCentral, 14 June 2023, http://www.sdxcentral.com/articles/analysis/the-great-ciso-resignation-why-security-leaders-are-quitting-in-droves/2023/05/
4 Bellens, J.; Hobbs, B.; et al.; “How Bank CROs Are Responding to Volatility and Shifting Risk Profiles,” EY, 10 January 2023, http://www.ey.com/en_us/banking-capitalmarkets/how-bank-cros-are-responding-to-volatility-and-shifting-risk-profiles
Seth Earby, CISM
Is a principal program manager for governance, risk, and compliance in the healthcare industry and a cybersecurity and technology consultant who specializes in building successful cybersecurity and technology programs. His focus is on risk management and creating partnerships with technology and security teams to enable dramatic cybertransformation for cross-functional teams. Earby can be reached at http://www.linkedin.com/in/sethearby.
