Javier Dominguez, CISO at Commvault, considers the dynamic between the CIO and CISO and states that a more collaborative mindset between the two is required to deliver the kind of robust cybersecurity programmes needed today.
In an increasingly hostile data security landscape, effective cybersecurity relies on strong internal processes and communication, driven from the top by experienced C-level personnel. For this reason, the dynamic between members of the C-suite, particularly the CIO and CISO, now plays a pivotal role in everything from an organisation’s strategic cybersecurity spending to its overall incident response plan in the event of a data breach.
While CIOs tend to have a broad range of roles and IT responsibilities throughout their organisation, CISOs can often find their plates stacked even higher, spanning everything from compliance and governance to enterprise-wide risk management and beyond. Consequently, while CISOs are typically seen as the final authority on all data security issues, it’s a role that’s becoming increasingly difficult to do in isolation, without close support from the CIO.
Considering this, it’s not surprising that the collaboration between CIOs and CISOs has significantly evolved in recent years. As cybersecurity continues to gain traction on the corporate agenda, it’s become clear that old, siloed approaches simply aren’t viable today.
Instead, a more collaborative mindset is required to deliver the kind of robust security programmes needed today. From establishing and maintaining a secure network perimeter to ensuring round-the-clock regulatory compliance without impacting operational efficiency, modern cybersecurity is a team effort, one that CIOs and CISOs must lead from the front.
The stats behind the story
The good news is that reality is starting to reflect this best practice. According to recent research by Commvault and Futurum, nearly all (99%) of the 200 C-Suite and senior-level IT executives (more than half of which were CIOs, CSOs and CISOs) indicated that the relationship between IT and security had grown more connected over the past 12 months.
For those who described the relationship between IT and security as ‘connected’, 64% stated they now have shared goals for maintaining the company’s security and 70% stated they have joint processes and procedures in place for daily operations.
However, there is still work to do. For example, less than half (48%) stated they have established joint processes and procedures to mitigate or recover from an incident. With cyberattacks now occurring at a rate of 19 every second, the need to work together has never been more urgent.
As this research shows, there are clearly still barriers to overcome before closer collaboration is possible for many organisations. Chief among these is budgeting shortfalls, meaning allocated resources and investment levels simply aren’t high enough to cover all priorities set out by both the CISO and CIO. At a time when there is significant pressure to increase cybersecurity budgets, some leaders are still having to make compromises to ensure objectives can be met, which can be frustrating for all involved.
Another common barrier tends to be differences of opinion between CISOs and CIOs when it comes to cybersecurity and its impact on overall operational efficiency. Finding the balance between robust data protection and employee productivity is tricky.
Overly stringent security protocols can often prove detrimental, and employees may even try to circumvent particularly onerous requirements, creating further problems. On the other hand, security protocols that don’t go far enough can quickly lead to vulnerabilities across the network. This is where collaboration is key to finding a happy medium.
A dynamic and successful partnership
With these parameters top of mind, what does a successful CIO/CISO partnership look like? In modern organisations, there’s multiple crossover points between the two roles. A great example is the challenges presented by organisational resilience, which is now a crucial consideration for every business. One of the best ways to assess existing resilience levels is to test how well security and IT teams and their processes and technologies respond to, and recover from, unexpected cyber-incidents.
In this test scenario, the aim is to assess the response and identify key areas for improvement in both protection and mitigation strategies that go beyond just cybersecurity and examine every part of the IT estate where vulnerabilities are found to exist. This is only possible when the process itself covers all aspects of the response, ranging from tech issues and challenges, to employees, training levels and established protocols. Without the full involvement and consent of both the CIO and CISO, improvements will be very hard to deliver.
In addition, there’s the growing list of challenges presented by constantly evolving/expanding regulation and compliance requirements that today’s businesses face. Here, the C-suite must work together closely to ensure they are operating within the parameters of key legislation such as the General Data Protection Regulation (GDPR) on an operational level (of particular interest to the CIO) and that their security is sufficiently robust enough to minimise the risk of a data breach (which falls under the remit of the CISO).
Once again, without a high level of collaboration and consent between the CIO, CISO and wider C-suite, delivering the kind of joined-up approach required will be difficult to achieve, putting the organisation at risk of regulatory fines and reputational damage.
By aligning behind common organisational goals, CIOs, CISOs and their respective teams can quickly start to establish working processes and practices that benefit everyone involved. This level of co-operation also enables teams to navigate the increasingly complex digital technology landscape together and identify the best solutions to meet evolving business needs, delivering a crucial advantage over competitors.
Organisational maturity can also play an important role in future-proofing leadership teams against inevitable personnel changes at the top. Given the typical tenure of a CIO and CISO is just three to five, embedding robust processes into their areas of responsibility is now vital for minimising disruption in the event of key personnel leaving.
In every business, CISOs and CIOs naturally have their own differing agendas, duties and priorities. However, it’s crucial that both roles also acknowledge the growing number of common goals they also share. As IT and data security become increasingly intertwined, the ability for CISOs and CIOs to collaborate effectively in pursuit of common business goals has become a key factor in determining how well organisations can protect their data, optimise operations, and ultimately, help ensure their long-term future is secure.
Click below to share this article
