The Global Information Security survey from EY found that 77 percent of organizations still operate with only limited cybersecurity and resilience.
Meanwhile, 95 percent of the responding professionals say there’s a gap between the organization’s desired and actual culture of cybersecurity, ISACA's Cybersecurity Culture Report found.
“Most IT and security organizations don’t function well together. They might work well together, they might be nice to each other, but I don’t think they’re getting very far,” says Mischel Kwon, founder and CEO of cybersecurity consulting firm MKACyber.
Several security leaders say they see organizations struggling to get IT and security on the same page and stay in sync as their enterprises move forward with digital transformation initiatives.
They see several major barriers to alignment that tend to trouble many organizations. Here, they discuss the most common obstacles and offer top strategies on how CIOs and CISOs can work to align their resources and priorities to achieve the same enterprise objectives.
One of the most significant, and most frequently mentioned barriers to IT-security alignment is the perception that the security team can slow down forward momentum, says Sushila Nair, senior security portfolio director at NTT Data Corp. and a board member with ISACA’s Greater Washington, D.C. chapter.
Security executives once tended to offer doom-and-gloom scenarios to justify budget increases and costly investments, says Mario Chiock, fellow and CISO emeritus at Schlumberger, an oilfield services company, and advisor to cybersecurity solutions provider Onapsis. He says this, too, created walls between security, which seemed to fear the worst, and other executives who were more accustomed to balancing risks and rewards when making decisions.
Of course, worst-case scenarios cannot be dismissed from consideration but security experts say CISOs can learn to more effectively analyze them, better categorize their risks to the business, and more clearly articulate the risks to CIOs and other C-suite colleagues.
This enables them all, as a team, to balance business goals and objectives against those threats and understand which threats are worthy of the most immediate attention.
“Security has to play more of a security risk management role,” says Brian Allen, senior manager of cybersecurity at EY Advisory, noting that CISOs have to be transparent with security information and work with the CIO and business leaders to help define the organization’s tolerance for risk. “The security team is there to serve the business function just like the CIO, so they should be aligned with the strategy and the mission and the long-term planning.”
According to several experts, the security team’s approach to identifying risks and then alerting IT to vulnerabilities has created a roadblock to better alignment.
“Security gets the role not as the enabler of the business but as the oversight to IT. So security ends up saying, ‘You have X number of vulnerabilities in your server environment,’ or they go to people rolling out the laptops and say, ‘They’re not secure and you need to fix it.’ They take on this ‘You have a problem now go fix it’ reputation,” says Todd Fitzgerald, managing director and CISO with CISO Spotlight LLC, an ISACA cybersecurity expert.
CISOs who work with CIOs to create a joint operation are most effective and best-aligned, says Fitzgerald. They cross-train their teams so each side better understands their counterparts’ responsibilities, the parameters of their roles, where there are overlaps and where there are pass-offs on tasks.
He explains that such efforts help the security team remember that developers’ primary responsibility is developing code. “It’s not their mission to create secure code; it’s their mission to create code that answers the functionality of the business,” he says.
But it also helps security work with IT to develop more secure code and recognize that when problems arise, they’re both responsible for finding solutions. “Successful CISOs take a ‘we’ approach, [as in] ‘How can we help you do that?’” Fitzgerald says.
Many firms still see security as a nice-to-have thing and not a priority, experts say. Or they think of compliance as the equivalent of security.
Such misperceptions make it difficult for CISOs and CIOs to align on security investments.
In fact, the ISACA cybersecurity report found that the primary factors hindering a strong culture of cybersecurity relate directly to these misperceptions, with 41 percent calling out a lack of employee buy-in, 39 percent blaming disparate business units, and 33 percent citing no set key performance indicators or business goals in this area as barriers.
“The CIO won’t see the business impact if there’s not a culture of risk mitigation,” says Kayne McGladrey, director of security and IT for Pensar Development and a member of the professional association IEEE (The Institute of Electrical and Electronics Engineers).
“A culture where security is seen as someone else’s problem will derail any conversation around security, so the biggest thing for CISOs is to make the conversation with CIOs around risk – not around technologies or shiny objects but around risks to the business.”
The CISO's relationship with the CIO can be another big stumbling block to good alignment in an organization, according to multiple security, IT and management leaders. They say misalignment often happens when the CISO does not have an equal voice in the enterprise and when the security function is not able to guide or even have discussions with other executives and the board to establish the enterprise’s tolerance for risk.
Such situations are much more likely to lead to CISOs and CIOs having competing priorities that push them apart rather than help them align toward common objectives, LaMagna-Reiter says.
“And they each have to have responsibility for where the organization is going, how they’ll contribute to organizational strategies and the priorities and how they’ll collaborate to make all that happen,” he says.
Furthermore, both the CISO and the CIO need to communicate those shared priorities to their staff, LaMagna-Reiter says. “Nothing can throw alignment into array more than when the teams hear different messaging from their leaders,” he adds.
Some experts believe that similar to a CIO, the CISO should also report to the CEO, as that ensures equality and therefore alignment of priorities. Others, however, say organizations where the CISO reports to CIO are better structured for alignment as the CISO and CIO are then working alongside each other. Some experts, however, say either scenario can help or hinder, depending on the overall culture of an enterprise.
Experts say that the two positions should have clearly defined roles and responsibilities around issues such as how security technologies are selected, how security issues are resolved, and how to handle and escalate disagreements.