We want to hear from you! Take our quick AI survey and share your insights on the current state of AI, how you’re implementing it, and what you expect in the future. Learn more
When it comes to cybersecurity, organizations often walk a fine line. Of course they want the most robust defense possible. But at the same time, they don’t want the solutions to overload employees with intrusive security requirements that slow down productivity.
A perfect example is multi-factor authentication, or MFA. Although proven to be a powerful deterrent against the increasing number of identity-based attacks, many organizations are slow to adopt the common sense security protocol because employees hate the extra steps required to log in to regularly used systems.
It’s often up to the CIO and CISO to manage the delicate balance between security and efficiency. And as cybersecurity increasingly becomes an enterprise-wide risk, amplified by the new risks that may be introduced by the expected growth of AI within most businesses, the CIO and CISO must work closer than ever to ensure that their IT assets business are protected – with the least disruption possible to end users.
For years, organizations have often viewed cybersecurity as a “check the box” function. Companies may have done the bare minimum to comply with standards such as those of the National Institute of Standards and Technology (NIST). But amid a surge in both the cadence and type of incidentsorganizations are now aware of the potential financial and reputational risks of a cyber attack.
Countdown to VB Transform 2024
Join business leaders in San Francisco from July 9 to 11 for our flagship AI event. Connect with colleagues, explore the opportunities and challenges of generative AI, and learn how to integrate AI applications into your industry. register now
And in the same way that the Enron scandal 20 years ago launched a new generation of corporate compliance requirements, raising the profile of the Chief Financial Officer role within the C-Suite, the increasing frequency and intensity of cyberattacks today a bigger spotlight. at the CISO.
And yet, as many CISOs take on increasing risk and compliance responsibilities, it is imperative that security professionals learn to work more closely with the CIO, whose team is responsible for operationalizing many security practices and procedures.
Understand the gap
While CISOs spend their days worrying about detecting and recovering from a cyberattack that they know will inevitably occur, CIOs may be spread too thin to fully absorb these risks. Instead, their minds are busy thinking about how to modernize their company’s infrastructure and make their workforce more productive. And increasingly, CIOs are tasked with managing the organization’s AI strategy.
As a result, it is not uncommon for the two roles to conflict. CIOs are typically inundated with employee complaints about every extra step (such as MFA) that separates them from the work they need to do. At the same time, the CIO must understand how changes that could improve productivity can pose serious security risks.
For example, if multiple employees on a video conference call are all recording the session, there are now multiple files, possibly stored in different locations, that contain potentially sensitive information. Given the number of video calls likely to take place on any given day in a large enterprise, it’s easy to see how the resulting security issues could become a major concern for the CISO.
Hire the right CISO for the company
To make the CIO-CISO relationship work, companies also need to understand what type of skills they currently need in a CISO – and what type of expertise will be needed to move the organization forward.
Even most mid-sized organizations may not yet prioritize cybersecurity. Naturally, they understand the severity of the threat landscape. But their risk management committees could focus on other issues, such as diversifying the supply chain to ensure future manufacturing capabilities, rather than thinking much about IT security.
In this case, it would be wise for the organization to hire a CISO who would pay new attention to the technical aspects of defending the company’s IT environment and developing a recovery plan in response to the inevitable attack . However, once the company reaches a certain size, investors will begin to demand that cybersecurity be treated as an enterprise risk, elevating it to a board-level issue. And that’s when the company should consider hiring a CISO who has a more compliance-related background.
Once the right candidate is in the organization, the CIO must also ensure that the CISO is set up for success. For example, if the CISO’s top mandate is more focused on enterprise risk management, then the company should hire a deputy chief information security officer (we call this a “small CISO”) – someone charged solely with managing the technical side of the organization. defense operation.
That way, the CISO can instead spend more time aligning with the CIO on the broader cybersecurity strategy and communicating these plans to other leaders, including the board of directors. In the meantime, the ‘ciso’ can handle the day-to-day work, and maybe even do some coding himself.
Connect the CISO to the business
The CISO can be a difficult position. The typical mandate – protecting increasingly complex and widely distributed IT environments – is incredibly broad. At the same time, CISOs have little domain control. They must collaborate across the enterprise and gain support from various key stakeholders to implement the necessary procedures and policies.
CISOs often face strong resistance from the business community, especially if the security chief wants to implement measures that impact the way business unit leaders and their teams are used to working. Therefore, the CIO must ensure that the CISO has a direct line of contact to the appropriate leaders, whether that is the CMO, the CFO, the Global Head of Sales or another position with a corresponding executive leader.
And while the CISO will not have final authority, those division leaders must take the security chief’s recommendations seriously. The CIO can support this effort by working with the CISO so they agree on what needs to be implemented.
Put the CISO in charge during attacks
When it comes to fundamental operational issues, such as a cloud storage center failure, the CIO must take the lead. However, when a cyber incident occurs, the CISO must have the authority to execute the established response plan to ensure timely and thorough recovery, with minimal downtime and data loss.
But CISOs also need to understand where their authority ends. For example, in the event of a ransomware attack, the decision to pay would ultimately come down to other leaders in the company, such as the board of directors and the CEO.
The rise of AI and the push to become a digitally connected business is drawing new attention to the debate between increased productivity and greater security risks. If the company tilts too far in one direction, it could expose the company to more attacks or significantly hinder employees’ ability to do their jobs. In both cases, the company ultimately suffers.
The lines between IT and security are quickly disappearing; This also applies to the organizational barriers within the company. And as technology powers more and more of a company’s core functions, it’s up to CIOs and CISOs to learn how to keep the proverbial IT seesaw running smoothly.
Reza Morakabati is CIO of Commvault.