Clash of the Titans

One of the major challenges chief information security officers (CISOs) face in almost any organization is prioritizing information security interests with regard to IT interests.^{1, 2} Examples include implementing a cybersecurity system³ before implementing a system designated for better network performance or changing the network architecture based on security directives rather than designing it in a way that will be easier to maintain by the IT operations teams. Any reader who has experienced working in an IT division has probably encountered the following common dilemma: The CISO presents an urgent need to acquire a security system and the IT department has to oppose the request due to insufficient resources or technical issues derived from the project.

This article shares the author’s insights from his personal experience regarding the imminent and almost inevitable clash between information security and IT interests. These thoughts developed while the author participated in related roundtables, took part in corporate meetings on this topic, and also partook in informal conversations with experts and senior executives in the industry. This analysis can help information security officers and managers overcome this challenge and help organizations to leverage their security posture.

The dynamic in the workplace is generally based on workers and their interaction with one another. Therefore, a good working relationship between CISOs and their colleagues, such as the head of the system operations department, would likely have a positive impact on bridging their professional individual interests. On the other hand, the location of the information security functions in the organizational structure can have a huge impact on the working dynamic, as indicated (based on the author’s preferred comprehension of the evolution of the information security structure):

• The CISO reports to the head of the IT department or an equivalent position—In many organizations, specifically small to medium-sized businesses (SMBs), security functions have developed inside IT units, mainly to meet the demand for securing IT, based on a true understanding of the increase in cyberthreats or to ensure compliance with regulatory demands. Although a proper security posture can always be achieved, in this scenario, conflicts may arise due the potential intrinsic conflicts of interest between performance needs and security needs. For this main reason, best practices and standards require the separation of duties between IS and IT.
• The CISO reports to the chief information officer (CIO) but relies on IT units for system operations and management—This structure tends to be common among corporate entities.⁴ Usually, this model separates management of security policies, audit and monitoring incidents led by the information security unit from the infrastructure and/or system units, which are executing system operations. Therefore, the CISO generally relies on the infrastructure department when it comes to budget and is coerced to toe the line with the CIO’s inherent interests, which usually lean toward IT productivity.⁵ Once more, pressure from business units, performance issues, and insufficient human or financial resources can be placed before the CISO’s agenda.
• The CISO reports to a senior executive, but not the CIO—Most organizations today are obligated to comply with industrial regulations, which seem to move toward the direction of requiring organizations to place the CISO in a position of reporting to a senior executive.⁶ In this case, the CISO can report to the chief risk officer (CRO), chief operating officer (COO) or other senior positions.^{7, 8} Any of those structures may, or may not, have negative effects on the CISO’s ability to promote information security interests in the IT division. However, the CISO’s relative distance from the IT units can impose the biggest challenge to his/her duty, whether in budgetary manners, staying up to date with IT projects and trends, or enforcing policies and promoting the IS agenda.
• The CISO manages independent system operators and reports to the CIO or chief executive officer (CEO)⁹—Some might say this structure is the goal for any CISO since it provides the necessary resources and authority to execute information security governance and the associated agenda. As the saying goes, with great power comes great responsibility, therefore, in this structure, the CISO will likely be required to invest more time coordinating system operations with the IT units. The key factor in this structure is to assimilate the information security system operators with their colleagues in the IT units to join forces on a daily basis.

In the author’s point of view, there is no ideal model for placing the CISO in any given organization. On the contrary, there is always a best model for any specific organization. One way or the other, it is advised that CISOs absorb the idea that their place in the organization’s layout has a vital influence on their ability to lead major changes such as acquiring new solutions, implementing a new and secured network architecture, and executing comprehensive policies and processes.

The organizational structure analysis should come in handy for any CISO as a means to understand the pros and cons of the position. However, the following insights and guidance may apply for the CISO no matter the reporting lines in the organizational structure layout:

• Understand and consider both sides of the equation. Naturally, information security personnel pursue solutions with the best security functionalities and capabilities according to their informed understanding. On the other hand, each information security manager should consider whether the solution meets the demands of the infrastructure, system and IT operations units. It is recommended that the CISO formalize an opening terms document with all the basic demands set by the IT departments. This solution is comparable to security policies, but from an IT point of view (e.g., an agent or agentless system, the support of virtual desktop infrastructure [VDI] platforms, the system resource limits, sufficient technical support). Both information security and IT units should aspire for a harmonious process in which each side represents the other’s needs and interests.
• Remember that business needs will always be placed above IS needs. When it comes to the bottom line, managing information security means finding the best compromise between security and business for the organization while ensuring compliance with laws and regulations. For that reason, this understanding also applies to the considerations behind purchasing and implementing new security systems. Therefore, before presenting a business case, the CISO must make sure purchasing new solutions or changing the network architecture is the last resort and all other solutions based on existing resources were properly considered.
• Develop a business case. Finding the financial and human resources for the best security solution in the market is often not enough if there is no tangible, concrete or imminent risk. Therefore, prioritizing security needs over business needs may require the CISO to find other sources for financing a solution. In most cases, the CISO should demonstrate an unambiguous operational efficiency if the intent is to implement new solutions. Furthermore, according to various senior executives, the number of security systems might be restricted. For this reason, some cases will require the CISO to show how a new solution will actually reduce the number of systems in existence and provide the best holistic solution, which will mitigate as much risk as possible. For example, an acquisition of an endpoint detection and response (EDR) and deep packet inspection (DPI) solution, combined with an antivirus module in one agent, can replace a set of systems, such as a current antivirus (AV) software, forensic and remediation agent, anomaly detection tool, incident response management system, control management system, tapping and network analysis tools, and intelligence feeds. In some situations, it can also be used for infrastructure troubleshooting.
• Meet the demand for a formal risk management process. When all efforts have been made and an unsatisfactory decision is inevitable, the CISO should document the formal decision and include a professional and detailed risk assessment. The CISO should not forget that the position serves the organization for better or for worse, although sometimes this service includes facing senior managers with the threat landscape and the information security risk it presents. In this regard, it is the CISO’s duty to pursue due care and due diligence on the given situation, which should include a proper risk management process before any decision is made concerning the purchase of security systems, change management, implementation of new policies, etc.

Conclusion

Although the statement that information security professionals should act as business enablers might be a cliché, it should remind CISOs that they are here first and foremost to serve business needs. Therefore, they must make the best out of their available resources and their position in the organizational layout. One might think this sounds like CISOs should act as yes-men, but that is not the case. Whenever CISOs or any other information security personnel find themselves in a dispute over resources or policies with IT personnel, they should remember one of the most important fundamentals in information security—the risk assessment process. CISOs are expected to hold extensive knowledge in analyzing and presenting the cyberthreat landscape of the organization to its executives, and the proper technological solution or process to mitigate the risk to which the organization may be exposed.

Endnotes

¹ Pompon, R.; “CIO or C-Suite: To Whom Should the CISO Report?” InformationWeek Dark Reading, 7 September 2017, http://www.darkreading.com/partner-perspectives/f5/cio-or-c-suite-to-whom-should-the-ciso-report/a/d-id/1329807?piddl_msgorder=asc
² Musthaler, B.; “Reduce the Conflicts Between IT Administrators and Information Security Personnel,” NetworkWorld, 20 January 2012, http://www.networkworld.com/article/2184992/infrastructure-management/reduce-the-conflicts-between-it-administrators-and-information-security-pe.html
³ A cybersecurity system, in this case, can be an automated vulnerability scanner, upgraded endpoint protection, deep packet inspection, etc.
⁴ Brocaglia, J.; “Hiring Your First CISO: A How-to,” ISACA Now Blog
⁵ CIO Staff and CSO Staff, “Eight Reasons the CISO Should Report to the CEO and Not the CIO,” CIO UK, 6 January 2017
⁶ New York State Department of Financial Services, 23 NYCRR 500 Cybersecurity Requirements for Financial Services Companies, USA, March 2017, www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
⁷ Adams, E.; “Comment: Where the CISO Should Sit,” Infosecurity Magazine, 22 November 2011, http://www.infosecurity-magazine.com/opinions/comment-where-the-ciso-should-sit/
⁸ Boulton, C.; “Debate Continues Over Where CISOs Sit in the C-Suite,” CIO, 2 June 2016
⁹ Lambert, M.; “As CISOs’ Roles Evolve, So Do the Reporting Lines,” ISACA Now Blog