Corporate security and IT departments and the people who lead them often have complicated relationships. But does it really have to be that way?
It’s a critical question as digital business accelerates in every industry and market, its rise only magnified by the COVID-19 pandemic. Never has it been more important for the CIO, CISO and other digital technology leaders to work in lockstep as they shape their organizations’ future.
For too long in too many organizations, IT and security have viewed themselves as two different disciplines with fundamentally different missions that have been forced to work together.
In companies where this tension exists, the disconnect stems from the CIO’s focus on delivery and availability of digital services for competitive advantage and customer satisfaction – as quickly as possible – while the CISO is devoted to finding security and privacy risks in those same services.
The IT pros tend to think of the security teams as the “Department of No.” Security pros view the IT teams as always putting speed ahead of safety.
Adding to the strain, CISOs are catching up to CIOs in carving out an enhanced role as business strategists, not merely technology specialists. The CIO’s main role was once to deliver IT reliably and cost-effectively across the organization, but while optimizing infrastructure remains a big part of the job, today’s CIO is expected to be a key player in leading digital transformation initiatives and driving revenue-generating innovation.
The CISO is rapidly growing into a business leader as well. As a Gartner report put it, they have become “key enablers of digital busines and are accountable for helping the enterprise balance the associated risks and benefits” by measuring, prioritizing, and improving an organization’s security posture.
If companies aren’t careful and don’t craft a well-thought-out plan that recognizes these evolving roles and how they should complement each other for digital success, they can end up seeing turf wars, budget battles, silos, and confusion.
So, what’s the answer to make the relationship between IT and security all it can be? Here are four suggestions.
Change the culture of division
It may sound obvious, but the first step needs to be a shift in mindset: the IT and security functions must stop treating one another as “them” and start thinking of themselves as partners. When each is successful, both shine. IT needs security because while developing and deploying applications quickly is important, so is making sure they’re protected. For security teams, IT is like a telemetry system from which they can gather feedback on the security and productivity needs of employees.
CIOs and CISOs must resolve to see their organizations as extensions of each other, rather than separate teams.
Early communication and collaboration
By partnering right at the start, at the application ideation and architecture design and review stages, IT and security can work better together and avoid conflict later.
This approach reflects the DevSecOps mentality taking hold in many companies, where security’s role is no longer relegated to a specific team in the last stage of development but introduced much earlier and woven into every step of the software development lifecycle. DevSecOps adoption rates are on the rise, according to GitLab’s 2020 survey of 3,650 software professionals, proving that change is possible when it comes to roles within developer, operations and security teams.
When IT and security work together early and collaborate on baking security into everything, due diligence around vulnerabilities and threats has already been done when it’s time to deploy an application – no last-minute swooping in by the Department of No.
Don’t sweat org charts
A common industry trope is that having both the CIO and CISO reporting to the CEO automatically fosters collaboration and reduces friction. While I feel that sometimes can be true, every organization is different and there’s no one-size-fits-all solution.
A PwC report found that 40 percent of CISOs now report to a CEO, while 24 percent report to the CIO and 27 percent report directly to the board. I think it’s fine for reporting structure to vary by company size and industry.
For example, if a particular CIO has established themselves as a strategic business leader who truly understands security’s crucial role in risk management, the CISO reporting to the CIO can be a viable solution. If a certain company has a heavy regulatory burden, such as HIPAA or PCI, reporting up through the General Counsel’s office may indeed make sense. The outcome is what matters, reporting should reflect the best path to bringing risk in line with business goals for your organization.
Embrace the CISO-as-risk-management-leader model
Security used to be about building a moat around the castle, so to speak – a mechanical/technical endeavor to safeguard against attacks and vulnerabilities.
When the security organization’s mindset shifts from technology to risk management, as has been happening, it truly becomes a strategic business function. This new seat at the table elevates security’s reputation across the enterprise and should help eliminate the IT-security tension that has existed for too long and is counter-productive to a company’s digital ambitions.
So, the answer is no: corporate IT and security departments are not destined to have fraught relationships.