Street fighting man
Security teams fight many battles. There are threats, vulnerabilities, exploits, improperly configured systems, legacy equipment, lean budgets, staffing shortages, and users who are fallible. Any of these things, alone, add up to challenge, but possibly the biggest challenge security teams face is the battle between the security department and the CIO.
In a recent survey conducted by Enterprise Strategy Group (ESG) and ISSA International, 52% of respondents at organizations with a CISO/CSO or similar executive-level security professional said that the most senior-level security executive reports into the CIO or a direct report of the CIO. Only 22% of companies surveyed said their highest level security professional reports directly to the CEO.
In a similar report, published by ISACA earlier this year, 63% of respondents said that the cybersecurity function reports into the CIO, and a mere 14% of security leaders report directly to the CEO.
Even more concerning, 27% of the ESG/ISSA survey respondents reported that their company “has no plans or interest in adding a CISO/CSO or similar position.” This may indicate that those companies don’t prioritize security strongly enough to support hiring an experienced professional to run security and work alongside the business.
Hey! Think the time is right for a palace revolution
Whichever numbers you choose, all indicate that ties between IT and security are strong and showing no signs of weakening. The alignment makes sense: Both teams are responsible for the technology infrastructure upon which the business runs. Digging only slightly below the surface, though, cracks start to appear.
The friction between security and IT is well known: The CIO and IT teams are responsible for on-time service delivery of products and services, network uptime, and rapid deployment of new tools. The security team, on the other hand, is responsible for securing systems and identifying risk, which can mean delaying products or services, taking resources offline if a threat or potential threat emerges, or slowing down deployments to ensure proper configuration is established from the start. Adding insult to injury from security’s perspective, the security budget is often embedded in the IT budget, with security only garnering a small percentage of an otherwise hefty sum. Based on whose data you’re consuming, the percentage of IT’s budget given to security ranges from a paltry 3% up to nearly 15%, leaving security feeling like they’re getting the “leftovers” even though security as a subject is a constant, continual, and rising concern among C-level executives and boards of directors.
But where I live the game to play is compromise solution
With the CIO and her/his team in charge so much of the time, it’s no wonder security teams feel like they’re fighting an uphill battle. That said, both teams need to work together towards a common business goal. The name of the game is business alignment, and IT has the advantage when they’re the ones rolling out new applications or tools that help the company generate revenue and/or increase the ease with which employees can perform job functions.
However, business risk is nothing new, and security teams can gain ground when the focus is on how security’s actions impact organizational risk. First, though, because the relationship between IT and security isn’t bound to change anytime soon, security needs to start getting a better handle on working productively and collaboratively with IT. This can be accomplished through joint planning cycles and prioritization of tasks like patching and secure tools deployment. Shared processes can also be adopted so that neither team feels like the other team’s initiatives are taking precedence. Of course, getting to a collaborative stage is entirely reliant upon a good working relationship between the most senior IT professional and the most senior security professional reporting into her/him.
Well then, what can a poor boy do?
Building or repairing this relationship starts with communication and trust. Security and IT are equally guilty of rolling out initiatives without alerting the other team, and IT teams often say that they feel security overreacts to potential risks, especially when a breach hasn’t occurred (or isn’t known), yet derails IT’s projects anyway. These counterproductive interactions can be reduced by simply opening lines of communication—as well as an earnest effort to change and acceptance of differing ideas and opinions. Trust will never be earned if security continues to use FUD as a mechanism for further its cause. In some cases, risks are real; today communication about the reality and/or likelihood of those risks is significantly lacking, and that leads to mistrust.
Taking time to educate IT partners about risks or vulnerabilities will help in the long run, but so too will accepting that certain business advancements are a priority over potential security flaws. Security teams are under tremendous pressure to stay on top of threats, vulnerabilities, exploits, improperly configured systems, legacy equipment, and fallible users. Some of this burden can be lessened through a more cooperative relationship with IT, especially the CIO if he or she is the ultimate boss and decision maker.