Cyber Security And The CIO: Changing The Conversation - InformationWeek
IoT
IoT
IT Leadership
Commentary
6/2/2015
07:06 AM
Joe Stanganelli
Joe Stanganelli
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
100%
0%

Cyber Security And The CIO: Changing The Conversation

Do CIOs have an inherent conflict of interest when it comes to security? What should be their InfoSec involvement?

New IT Skills: Why Communication, Accountability, Initiative Are Hot Now
New IT Skills: Why Communication, Accountability, Initiative Are Hot Now
(Click image for larger view and slideshow.)

Who in the enterprise should take the lead on cyber-security issues? And what role should the CIO play? These were the two main questions with which speakers wrestled during the MIT Sloan CIO Symposium, held in May on the school's campus in Cambridge, Mass.

During a session titled Cybersecurity: New Approaches to Assessing and Maximizing Your Protection, a panel of information security executives agreed that CISOs and their ilk are key players on the cyber-security battlefront.

Indeed, the importance of the role of CISO is well documented. According to the Ponemon Institute's 2014 Cost of Data Breach Study, one of eight factors having an impact on the cost of an enterprise's data breach is whether the CISO (or executive with a similar title and role) "has overall responsibility for enterprise data protection" and leads the incident response team. When this is the case, the per capita cost of a data breach is reduced -- on average -- by $10. (To help put that in perspective: The average per-capita cost of an enterprise data breach in 2014 was $201.)

[ Suffering from insomnia? Don't read Why Kasperky's Bank Robbery Report Should Scare Us All. ]

But, what should the link be between the CISO and the CIO? And, where does the CIO fit into the enterprise information security structure? In an informal poll during the session, the majority of audience members indicated by a show of hands their belief that enterprise security activity -- and, along with it, the CISO -- should fall under the CIO's purview. The panelists contested that notion.

(Image: Andrey Popov via iStockphoto)

(Image: Andrey Popov via iStockphoto)

"It's definitely a conflict of interest to have a security officer under [the CIO]," said panelist George Wrenn, VP and cyber security officer at Schneider Electric, because the performance of the CIO (who typically controls the CISO's budget) is often measured under interests that compete with good cyber-security practices. Instead, Wrenn said, the CISO should answer to a "non-technical role in the company."

Considerations of ethics and conflicts of interest can be paramount when it comes to making good security decisions -- as panelists demonstrated by drawing parallels to the 1986 Space Shuttle Challenger disaster. Investigators of that incident determined that safety issues received an undue lack of concern, as levels of "acceptable risk" were expanded in a culture where production was paramount and communication was flawed.

"[NASA] had to have X number of launches a year to justify the program financially," said Wrenn, alluding to what can happen when politics and budgets take precedence in security decisions.

At the same time, however, a big part of information security lies in managing levels of acceptable risk.

"It's really risk management and who does risk space … best … in your organization," said panelist Roland Cloutier, VP and chief security officer of ADP. Cloutier noted that data breach liability is a cost, and that's the mindset with which a board of directors makes decisions on information security.

"Everything comes back to cost," said panelist Nick Milne-Home, COO and president of 1E North America. "What has changed over the last year or so is the really, really clear [picture] of what that cost is."

Wrenn, for his part, voiced his preference that the CISO answer to the CFO because the CFO's priorities -- including those of cost management -- are more in line with those of the CISO than are the CIO's priorities.

Still, Cloutier maintained that the CIO has an important leadership role to play in cyber-security -- particularly when InfoSec is defined less as a cost center and more as a center for quality control.

For panelist Shuman Ghosemajumder, VP of product management at Shape Security, this is the paramount consideration. When asked what future CIOs should focus on in their education, Ghosemajumder was unhesitant in his response: "Number one: quality."

Ghosemajumder's solution to Cloutier's conundrum lies in "the explanation to the organization" of the import of cyber-security to quality. For all the cost considerations and risk assessment that go into information security decisions, Ghosemajunder urged executives to tell a story to their higher ups -- one that begins with: "Imagine this."

"It helps to change the DNA," observed Ghosemajumder.

What cyber-security story are you telling in your organization? How closely do you work with your company's cyber-security team? Who does your CISO report to? Tell us about it in the comments section below.

[Did you miss any of the InformationWeek Conference in Las Vegas last month? Don't worry: We have you covered. Check out what our speakers had to say and see tweets from the show. Let's keep the conversation going.]

Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including US News and World Report and Personal Real Estate Investor Magazine. Joe is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
smadnick
100%
0%
smadnick,
User Rank: Apprentice
6/2/2015 | 8:21:06 PM
MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity
These were great panelists with thoughful comments about the managerial aspects of cybersecurity.

For those interested in more information about the MIT Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity, go to ic3 dot mit dot edu
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll