The New CIO-CISO Dilemma: Balancing Needs of the Business And Risk Management

Forbes article authored by Cohesity Chief Information Security Officer

News

All NewsPress ReleaseArchive
January 10, 2023

Read the full article here

CIOs and CISOs today are tasked with many high-priority and often overlapping initiatives, from digital transformation to cloud migration, including hybrid cloud, on-premises and multicloud deployments—all of which are critical to the business but inherently tied to disaster recovery and other security and risk management imperatives that need to be addressed simultaneously. And often, these CIOs and CISOs are trying to balance these initiatives and managing risk while facing a significant talent shortage across both IT and cybersecurity teams.

So, how exactly should CIOs and CISOs work together to ensure they are delivering the technology initiatives required to keep their businesses competitive (e.g., shifts to the cloud) while, at the same time, ensuring cyber resilience in light of ongoing threats, like ransomware, and this pervasive talent gap?

From speaking with customers, I’ve found that, while there’s no one-size-fits-all approach, there are clear takeaways for organizations looking to balance technology and business needs while mitigating cyber risks in this rapidly evolving workplace.

Balancing Cloud Deployments With Security

CIOs and CISOs today see the cloud—whether private, public, multicloud or hybrid deployments—as one of their organizations’ greatest opportunities for digital transformation, but also one of the greatest challenges. When shifting from on-premises to the cloud, and then determining a cloud strategy, there are many factors (even trade-offs) to consider.

Migrating to the cloud requires organizations to extend some security postures beyond what they can directly control. For example, there is considerable variation in the data-retention policies of cloud vendors that could result in permanent data loss (e.g., in the event of ransomware) if backups are not properly scheduled. This risk can be mitigated with proper, modern data management and security practices, but it is certainly something that needs to be addressed from the start. A good first step is tightening your organization’s own security posture and then ensuring that cloud partners meet those requirements; meaning, they comply with the same security policies and standards as internal security control operators.

Additionally, customers have cited compliance as another leading element in their cloud strategy, especially for those in highly regulated industries like healthcare and finance. For example, healthcare has only recently embraced the public cloud now that privacy compliance for SOC Type 2 and HITRUST have become possible.

Collaborating Between IT And Security Functions

The ever-increasing threat of cyberattacks is causing organizations to rethink and restructure the relationship between IT and cybersecurity, at both the operations level and the C-level. Most security teams focused primarily on preventing cyberattacks, while IT teams focused on data protection like backup and recovery. But a complete data security strategy needs to bring these two worlds together, as any lack of collaboration creates significant business risks and can put organizations at the mercy of bad actors.

For many organizations, this means changes to the C-level reporting structure. For example, while it’s still common for a CISO to report to a CIO, increasingly CISOs are reporting to the CEO to create a separation between IT and cybersecurity and create accountability on both ends. In other cases, such as my own at Cohesity, the CIO and the CISO roles are combined based on a preference that one individual should be equally and seamlessly responsible for information systems and cybersecurity.

However the reporting structure falls, it is clear that both technology and security need to be integrated at the highest levels within an organization to ensure that critical systems are being operated both effectively and securely. More teams are increasingly working closer together with business leaders to evaluate technologies and plan initiatives to ensure business needs are met with agile and secure information systems. IT, security and business operations must be aligned and work in tandem to make IT successful.

Managing A Small Talent Pool

While there are many possibilities and priorities for deploying information systems today, none of it would happen without talent, but unfortunately many organizations are struggling to hire IT and cybersecurity talent due to pervasive labor shortages. According to recent research from Cohesity, this ongoing shortage is impacting the ability for IT and security teams to collaborate effectively.

One way organizations are combating this issue is by focusing on retention and reskilling their current workforces. Technology employees are harder to recruit due to their high demand and their desire for work flexibility, making retention and internal development as important of a strategic focus as recruitment.

The bottom line is that, in today’s challenging landscape, both IT and security teams need to co-own cyber resilience outcomes and have a comprehensive understanding of their organization’s potential attack surface. There is no one-size-fits-all approach, but encouraging collaboration is key, and modern data security and management can help close any gaps, improve visibility and help both departments sleep better at night knowing they can work together to stay one step ahead of bad actors.

If you like this article consider subscribing to our bi-monthly newsletter to get information about our portfolio, solutions, and insights delivered to your inbox.