Data security is a big deal. You know it, I know it, and it is hard to argue at this point in time, that unless you’re living off the grid, data security is a universal value. On an almost daily basis, data breaches and their severe, far-reaching consequences are reported in the news, leaving organisations on a multinational scale in no doubt that this is an issue of the very highest significance.
Further, regulations such as the GDPR and Privacy Shield have been introduced in order to safeguard customer data, pushing data security to the top of the C-suite agenda from a legal compliance perspective. So nowadays, data security is receiving the attention it should in many forward-thinking companies. But it was not always this way.
The CIO — an officer alone
Looking back several years, cybersecurity, while important, had not reached the boardroom agenda. It was still bubbling beneath the surface, viewed as an issue that fell within the remit of the IT department alone. Whilst digital processes still existed within business at this time, companies were far less reliant on them for day-to-day operation, and fewer customer details were stored in the cloud.
This meant that although a data breach would be an inconvenience and best avoided, it would not have the catastrophic effects of the cyber attack of the modern era. Imagine a ransomware attack on a platform like Hailo — business (and a swathe of the taxi industry in the UK) would come to a screeching halt. But prior to the turn of the millennium, data security existed primarily as a bullet point on the job description of the Chief Information Officer (CIO). It was one of many issues a CIO was tasked with handling, alongside IT resource management, budgeting and internal operations. CIOs prioritised ensuring their systems and services ran flawlessly for their end-users, and often security capabilities were prioritised second or third.
Enter the CISO
The CISO’s top priority is to protect corporate data and critical computing resources. As digital transformation has expanded to encompass all industries and sectors, technology has become an integral part of everyday business. Digital processes and applications have evolved beyond internal data storage and communication. For many companies, interaction with customers takes place almost solely across digital platforms. But whilst technology has huge benefits to offer the enterprise, heavier reliance on digital has resulted in increased vulnerability to online threats.
Consequently, cybersecurity has become an issue that requires full-time attention. And businesses have responded to this changing landscape by prioritising the CISO role. This served the dual function of providing additional risk mitigation for the enterprise, and freeing up the CIO to focus on wider strategic and operational requirements, IT maintenance, and further opportunities for digital transformation.
But it is not an entirely straightforward solution. Separating cybersecurity and IT roles in this way has the potential to cause conflict. For instance, what happens if the CIO wants to implement a particular solution that the CISO deems to be a risk from a security perspective? Who has the final say?
A changing of the guard
Whilst the hierarchy of the CIO and CISO remains fairly ambiguous and can vary between organisations, it has traditionally been commonplace for the CISO to defer to the CIO in instances of conflict.
However, I would envisage these roles reversing in the future. The significance of data security has moved beyond the IT department and become a business-wide, and even board level, concern. In particular, the explosion of cloud computing means that company data is no longer stored exclusively within the confines of the data centre, but carried on employees’ endpoint devices such as laptops and tablets. And the prevalence of BYOD culture has led to an unprecedented rise in shadow IT — people using unauthorised tools to complete tasks with ease-of-use as a primary selection criteria.
The role of a CISO is to partner with the C-Suite and help the business run faster and do so securely. Traditionally, security organisations were viewed as slowing things down and often saying “no” to the business. In my humble opinion, that is not the proper mindset for any security organisation. Identifying techniques and tools to accelerate the competitive advantages of your employer and outmaneuver the competition is now part of the job description; or it should be.
By Rick Orloff, Chief Security Officer at Code42