October 11, 2023
At a Glance
- Resilience is becoming the new mantra of the cybersecurity field.
- Threats abound: Ransomware, zero-day vulnerabilities, third-party and supply chain attacks, vishing, phishing, deepfakes.
- AI and quantum computing will have a profound impact on the way CIOs and CISOs do their jobs.
CISOs and CIOs occupy different seats at the C-suite table, but they both are concerned with organizations’ IT infrastructure.
“If you look at the role of the CIO, we are responsible for taking care of bringing the technology infrastructure, which keeps the company engine going,” says Prasad Ramakrishnan, CIO of cloud-based customer relationship management company Freshworks. “The CISO’s charter is to make sure that we have the governance and security and the controls to … take care of our customer data, take care of our employee data, take care of privacy.”
Unsurprisingly, CISOs and CIOs share some pain points. Four CISOs and two CIOs talked to InformationWeek about some of the biggest challenges they face and how they are addressing them.
Resilience is becoming the new mantra of the cybersecurity field. Resilience is about how an organization will respond if and when it experiences a cybersecurity incident. “We as CISOs are all going to experience at least one if not more and certainly or potentially significant, cybersecurity incident in our careers,” says Tyler Farrar, CISO, at cybersecurity company Exabeam.
Will an organization be crippled for days or weeks? Or will it have the playbook in place to respond and execute a rapid return to operations?
For CIOs and CISOs, achieving operational resilience requires strategic planning, education, and alignment throughout their organizations.
“Being a good CISO is part education and part practitioner,” says Laura Deaner, CISO at financial services and life insurance company Northwestern Mutual.
CIOs and CISOs have to wear many different hats, acting as both technical and business leaders. The technical aspect of the job is essential to operate and protect the IT infrastructure, but these leaders cannot do that part of their job without making a compelling business case that secures C-suite and board buy-in.
“The culture of a company is also important, ensuring that the technology and security goals are aligned with the mission and the objectives of the organization itself,” says Deaner.
The Sprawling Tech Stack
“Everybody is struggling with the sprawling technology stack,” says Carl Froggett, CIO of cybersecurity company Deep Instinct. Many companies are working with a mix of legacy technology, like on-premises servers, and new cloud and SaaS systems. CIOs and CISOs are faced with the operational and security challenges that come with this disparate tech stack and the migration to new systems.
With that sprawl comes the challenge of data governance. What data does a company have? Where does it reside? How can it be safeguarded? If CIOs and CISOs can’t answer the first two questions, they can’t even begin to collaborate on an effective strategy for protecting their organizations’ data.
Given the proliferation of data, it is unsurprising that many leaders feel overwhelmed; 60% of IT leaders reported that they feel overwhelmed by data, according to the 2023 IT Priorities from cloud-native platform Snow Software.
Freshworks CIO Ramakrishnan and his team regularly practice app rationalization to understand what software the company has, what it is actually using, and how compatible those tools are.
“We look at all of our tools on a regular basis to make sure … are we using the tool? Are we getting the required level of utilization from the tool?” he explains. “Does this tool talk to all the other tools that we have? Is this still a tool that we want to keep within our enterprise?”
If a tool is not being utilized or working within the overall tech stack, Ramakrishnan and his team determine if it needs to be replaced by a new option or if an existing tool can take over. Then, they prepare it for retirement.
“I also need to look at the security impact of all the tools. Have too many tools and what happens is security becomes an afterthought,” says Ramakrishnan. “Simplifying the stack is top of mind from a CIO perspective.”
Evolving Threats and Compliance Requirements
Ransomware, zero-day vulnerabilities, third-party and supply chain attacks, vishing, phishing, deepfakes: new cyber threats emerge every day. CIOs and CISOs are challenged to keep their organizations operational and to keep data out of threat actors’ hands. Plus, the regulatory landscape continues to broaden across different states and countries.
“Each industry has their specific areas that they have to worry about because the attack vectors are different and then also the type of data is different,” says Tim Chase, global field CISO at cloud security services company Lacework.
The IT field does offer a plentitude of resources that CIOs and CISOs can use to collaborate and learn from one another. Conferences like RSA and Black Hat bring together thousands of professionals. IT-ISAC has industry-specific groups for sharing information on threats.
“I feel like compared to maybe other industries, it's very interesting that we will come together. We'll be competitors out there on the battlefield of sales. But when it comes to security, we'll put that down and we'll just talk,” says Chase.
The information technology field and the cybersecurity field are experiencing talent shortages. In a Deloitte survey of technology industry leaders, 90% reported that recruiting and keeping talent was a moderate or major challenge. The shortage of talent in cybersecurity is illustrated by all sorts of similar statistics and studies painting an alarming picture of millions of unfilled jobs. The problem has garnered the attention of the government. The Biden-Harris Administration released the National Cyber Workforce and Education Strategy earlier this year to address the talent gap.
While talent is a scarce commodity, CIOs and CISOs can leverage third parties to get the skills they do not have internally and have yet to hire. They can also find ways to automate lower-level tasks, freeing staff to spend more time on other more important, less repetitive tasks. IT leadership can also retrain and upskill existing team members.
Over the course of his career, Froggett has looked for ways to begin tapping the developing talent pipeline. Building relationships with high schools, universities and veterans’ programs can attract people to open IT and cybersecurity positions within an organization.
Regardless of how IT leaders build their teams, they must maintain a connection to them. “We do not need a leader who is so disconnected from the rest of their security organization. That is a risk in and of itself,” says Farrar.
Generative AI and quantum computing are exciting frontiers, but they represent multifaceted challenges for CIOs and CISOs. How can organizations adopt these tools without introducing more risk? The multitude of options and use cases seem endless. What kind of guidelines need to be in place to ensure employees understand potential security issues? In the case of AI, the tools are so easily accessible employees could be using them without company knowledge.
But the challenges of new technology like this are not only internal. “Most, if not all, ‘disruptive’ technology in the economy is ‘destructive’ technology in the underground economy or black market,” Jerry Sto. Tomas, CISO of HealthEdge, a healthcare SaaS software company, warns in an email interview.
There is no question that AI and quantum computing will have a profound impact on the way CIOs and CISOs do their jobs, but predicting what that change will look like and navigating through it will be an ongoing challenge.
“Normally, when you have a technology, you can kind of go: ‘Alright, this is going to get replaced.’ You can envisage a future, a point where that technology is going to get to. I honestly can't put a border around generative AI and quantum [computing]," says Froggett. “I really, truly believe a lot of the things that we’ve learned, certainly in my career, are just going to get tipped on their head, and we’re going to have to just embrace a drastic change."
CISOs and CIOs must keep themselves and their organizations up to date with the evolving technology and security landscapes, which means they often need to spearhead change-driven projects. Driving organization-wide change is challenging in any scenario, but even more so if CIOs and CISOs don’t have regular communication and buy-in at the board level.
“There's still a fair amount of CISOs that don't regularly report to the board. So, there's just a big gap there that I think needs to be filled,” says Chase.
While that gap still exists, it is narrowing. The State of the CIO Study 2023, conducted by marketing technology company Foundry, found that 77% of CIOs report having a strong educational partnership with their CEOs and board of directors. Furthermore, 85% of the surveyed CIOs said they are becoming changemakers in their organizations.
Cybersecurity company Proofpoint and academic forum Cybersecurity at MIT Sloan examined CISO and board communication in the Cybersecurity: The 2023 Board Perspective Report. A total of 53% of board member respondents reported regular communication with their cybersecurity counterparts, up for 47% the previous year.
New rules for public companies from the US Securities and Exchange Commission (SEC) emphasize board-level involvement in cybersecurity risk management, which will likely encourage closer ties between CISOs and board members.
“The person with a plan will be the most effective champion of change,” says Sto. Tomas. “Make sure to measure your success, failures and values of your plan so you are prepared to address the fast-evolving risks and adapt to global economic changes.”
About the Author(s)
You May Also Like