With security becoming more critical in business environments, Jennifer Scott looks at who should take responsibility for the safekeeping of a company and how the two senior information roles must interact.
The traditional way to deal with IT security in a business has been to refer to one person. The security manager or chief information security officer (CISO) took charge of buying the right equipment and software to keep a data centre safe, and was trusted to get on with his job, enabling others to continue with their daily chores.
We no longer live in a traditional security environment, though. It is no longer a case of protecting one connection to the business with a firewall, or scanning for malware on its PCs. There are more angles of attack, new routes to data centres and rising numbers of cyber criminals banging at the chamber door.
Security is also no longer a task for just the IT savvy to worry about. After numerous high-profile hacks and the likes of Anonymous and LulzSec hitting the headlines, everyone from the receptionist at the front desk to the chief executive on the top floor knows security is a pressing issue, and most want to have their say on the best way to tackle it.
This has led to the chief information officer (CIO) having a little more to contribute to the issue, and has often caused him or her to become the go-between from the boardroom to the CISO, changing how both c-level employees do their jobs.But what changes have been made, what have been the leading reasons for them and what does the future hold for the two roles that many IT and security professionals aspire to?
The front pages of newspapers have told the tale of Wikileaks, the power of Anonymous has been debated on Newsnight, and even This Morning is covering credit-card hacks. Security has never been such a dominant topic in the wider world, and this has been reflected in the growing number of threats against the corporate environment.
Canon Europe director of information security, governance and risk, Quentyn Taylor, says high-profile and targeted hack attacks have become a priority for the security IT professional. However, despite their prominence in the news, and the adrenaline rush of beating down cyber criminals, there are more important issues to tackle, he says.
“Certainly cyber crime and espionage are top of the news piles. However, it is the increasingly commonplace issues, such as consumerisation, data leaks and changing legislation, that are top of a lot of CISOs' action lists,” notes Taylor.
While it is tempting to focus on the headline-grabbing issues, which will concern not just the head of security but other board members and employees too, Taylor believes those in charge of IT should prioritise the day-to-day tasks.
“It is too easy to fall into the trap of following today's headlines without any regard to what is important to you as a company,” he adds. “The smart CIO and CISO look not only to the stories of the day (and how these can help them educate their company's staff), but also to the real challenges.”
One such challenge is the trend for the consumerisation of IT. Liam Quinn, IT director of Richmond Events, claims that the change in the way employees work and the devices they use is putting a lot of pressure on the information security professional.
“The days of the CIO or CISO being able to dictate and control how and when users access their systems are over,” he says. “The shift towards remote or mobile working, plus the consumerisation of information technology, means that the CIO or CISO must focus on securing the boundaries of the network, while allowing access via a multitude of devices from a multitude of locations.”
When discussing these new ways of working and their threat to the traditional corporate environment, it is impossible to avoid mention of cloud computing. Rackspace's vice-president of technology, Nigel Beighton, argues that the cloud has “broken down the operational hold” that IT once had over the rest of the business.
“This means that businesses are now more agile, but, and it's a big but, the need for data security controls becomes inherently more important at the same time,” he says.
“Because business users will always think about business functionality first, rather than the security issues, company-wide security policies need to be formalised and clearly communicated,” he adds.
Although the CIO traditionally came from an IT background, ensuring he or she knew all they needed to about the technology environment of the company, it has become normal practice to hire from the business side.
“CIO means chief information officer, yet I have seen many CIOs who are really just the head of ICT,” says Taylor. “A CIO really is far more than this and should help guide the organisation on how to make the best use of data flows to maximise revenue. IT is only part of the equation and is a tool to accomplish the job, rather than a dedicated c-level role itself.”
The CISO, however, was firmly planted in the data centre, taking control of the protection of this information and building the walls around the company's intellectual property. Be it procurement, deployment or maintenance, this was the job of the CISO and all he or she had to do was keep within budget.
With all the money constraints that have come about thanks to the recession, at a time of increased risk to IT, Beighton says: “Being human about this issue for a moment, I would say that CISOs' biggest challenge is to continue to feel enthusiasm for their role in what is a highly changeable and still-nascent IT environment.”
In this environment, the CIO is having to look more closely at security, and the rest of the board are going to them for answers. And this is making them step on the toes of the CISO, who was used to a role where a good day meant no contact with the board and a bad day meant cuts to their department's budget.
This continual rubbing each other up the wrong way isn't helping anyone, and the adage of “too many cooks spoil the broth” could be apt to describe a situation where no single role is taking full control and, more importantly, responsibility for the IT security of the business.
Where the future lies
Michael Everall, vice-president of information security at Lehman Brothers, states that the merging of the two roles needs to stop, because both the CIO and CISO have important jobs to focus on, and the latter needs the freedom to do his work properly.
“If an organisation is to survive in this ever-changing world and ever-increasing threat landscape, there needs to be a strong and enforced-by-management separation of the CIO and CISO,” Everall says.
He adds: “The CISO may functionally report to a CIO, but it is essential that they have independence and a strong matrix report outside of IT. This is not to say that IT and information security will not collaborate closely on operational issues, such as day-to-day oversight – after all, information security's technology is mainly focused on the IT landscape.
“The issue is that information security professionals have to stand back, look at the mixture of legal, compliance, regulatory and operational issues that can impact IT and the business, and then work with IT and the business to come up with viable solutions and mitigating and compensating controls that will work.”
Canon's Taylor believes that the CISO will become more prominent in the future, but the postholder will have to change their attitude to perhaps better reflect the more traditional way they acted before.
“As more and more emphasis is placed on the information, the person tasked with protecting that information will gain more and more prominence,” he explains. “For this change to occur, however, there needs to be a change in the CISO, which means that far from being the ‘preventer of information services' as popularised by the cartoon Dilbert, he takes a far less risk-averse approach, aligning with the risk appetite of the organisation.”
Many security analysts and experts have claimed that the IT security professional can no longer “just be the guy who says no”, but Taylor argues that for this to happen, the CISO must first receive the full backing of the rest of the company.
“This approach cannot be taken in a vacuum – it must be supported by the company as a whole,” he adds. “The sad fact of the sales organisation being rewarded for taking risk, while the CISO/CIO are rewarded for not taking risk, needs to be resolved.”
Everall agrees, even suggesting a new role will emerge out of the ashes of the traditional security mould.
“[The information security threat] is now far more understood at senior levels – it's not if a breach may occur, it's when, how big and how do we manage it,” he explains.
“This is leading to the CISO becoming more of a purely risk-oriented and pro-active solution provider, with more independence from the IT structure. The role isn't so much changing as expanding into other areas. Possibly, the role will become ‘chief risk officer' as time progresses.”
Separating risk from business
Regardless of the merging of the roles or the aforementioned “stepping on toes”, both the CIO and CISO are more important members of their companies than they have ever been.
They key for them, however, is to focus on the tasks at hand and not get bogged down in more trivial matters. In the future, the CIO must look to how information and IT can help achieve business goals. The CISO must then look at risk assessment and how he or she can enable the growing trends in IT, such as consumerisation and cloud computing, to benefit the company in a safe way.
As long as the two postholders keep to their side of the bargain, the enterprises they work for could become the safest and strongest they have ever been, even while operating within an increasingly dangerous threat landscape.