Enterprises face a difficult problem at the top of the network security chain.
CISOs responsible for overseeing the network have the primary responsibility for security, but they often lack visibility into the infrastructure and critical business data that is quickly becoming a popular target for cyber attackers. The CIO responsible for overseeing the underlying development of the target infrastructure is born to better understand the vulnerabilities and visibility gaps that malicious actors may exploit.
Digital transformation has placed IT at the forefront and center of almost every organization, which has made the task of protecting infrastructure more complicated. The importance of data as the lifeblood of enterprises has increased, and fundamental changes have taken place in infrastructure. The focus is on cloud computing and mobile computing, and the resulting adjustments in the targeting of cybercriminals and nation-state attackers have shifted the focus from the network. To the Internet.
So, who should be responsible? Can cyber security responsibilities be divided between CIO and CISO? Can they share security responsibilities in some way? No, it has no effect. To borrow an old saying from football starting quarterbacks, if you have two safety officers, you really don’t have a safety officer. Now is the time for companies and other organizations to seriously consider having their CIO report to the CISO.
Security requires unity
The most telling thing is how the relationship between the CISO and the IT operations team plays a role in this, because although the security team has security requirements, it is usually the IT operations team that is responsible for it. For example, a security team may have deployed endpoint agents on 17,000 systems, but they still don’t know if they have covered the network. They must ask the IT department how many systems it needs to deploy protection measures. And, in fact, no one knows, because the IT department has never asked this question.
IT infrastructure—more specifically, the lack of visibility into it—is the biggest weakness of enterprise security. We have reached a point where the attacker knows the company’s network better than the security professionals responsible for protecting it. Gaining visibility into infrastructure—whether it involves assets, network identities, or applications and services—needs a unified holistic approach. This must first unify the control at the top.
Why is CISO?
This The role of the chief information security officer CISO first appeared in 1995, and as CISO became more common in enterprises, its responsibilities have changed over the years. Formed under the IT umbrella-therefore reporting to the CIO-the main goal is to identify and purchase products that can effectively protect the company. It is IT’s job to manage them.
However, the problem with this approach is that IT has evolved into a highly isolated function, which means that few IT departments have people who have a thorough understanding of all systems and how they interact. This is mainly because IT organizations are not inherently operational in the traditional sense. This is a cultural issue that prevents the organization from fully understanding the entire IT infrastructure.
The challenge for CISOs is to develop a strategy to protect the infrastructure that no one in the organization really understands. This has always been the secret of failure. The security posture of an enterprise is created by security procedures built on the core IT infrastructure, and its overall effectiveness depends on the weaker of the two.
If the CISO is responsible for the security of the industry, then the same person should be responsible for the security and IT infrastructure, which is reasonable. In the words of former NFL coach Bill Parcells, if they want you to cook, they should let you buy groceries.
One job, not two
Twenty years ago, when I started working in cybersecurity in the Air Force, there was no CISO in the military that was different from the CIO. The IT director owns IT operations and security operations, and they grow together.Of course, the situation has changed since then, starting in the private sector and spreading to all businesses (in fact, now the Air Force Have a CISO).
What is confusing is why the CISO position was originally created. It may be because the CIO at the time was unable to solve the security problem. Or, perhaps some organizations believe that it is necessary to create a C-level position to emphasize the growing importance of cybersecurity. These are not two separate roles, especially in today’s operational and threat environment. They are one. You have the enterprise infrastructure including operations and security, and then you have the enterprise applications that help the business run more efficiently. Everything in IT is too unified and interrelated to delegate the work of running and protecting operations to two different seats.
It can be said that the emergence of the CISO role and its separation from IT operations are the main reasons for many network security failures today. When I work in the public sector, I have seen that combining operations and security brings clear benefits to security. This is something that organizations in every department now need to consider returning. The current environment requires a combination of IT and security functions, allowing the CIO to report to the CISO.
