Getting on better with IT: The One New Year’s Resolution Every CISO Should Make

Staying abreast of the latest security tools, running more awareness training workshops for employees…the dawn of a new year is traditionally a time for turning over new leaves and resolving to do things differently and better. There are plenty of resolutions a Chief Information Security Officer (CISO) might make but I’d suggest just one will do.

It’s to establish a closer working relationship with their counterpart over in IT – the CIO or IT operations manager.

Coming together to combat cyber-crime

It matters because it’s an easy and effective way to make the enterprise safer.

Despite the column inches devoted to ‘celebrity malware’ – the WannaCry ransomware cryptoworm, for example, scored hundreds of headlines after it was let loose on an ill-prepared global populace in May 2017 – most attacks are more pedestrian in nature.

They’re perpetrated by cyber-criminals who target known vulnerabilities which have usually been well publicised and for which patches have been created.

Poor patching practice in many organisations means infiltrators don’t have to try too hard. Malicious code can be downloaded from the black net and an opportunistic attack or several launched within minutes.

Simple steps

There are some straightforward mechanisms which can lessen dramatically the threat posed by these common and garden attacks. Working closely with the CIO or IT operations team makes them a cinch to implement.

Firstly, security teams need to get a better handle on their organisation’s IT assets. That means, for example, knowing how many laptops, tablets and smartphones are accessing the network and the operating systems and applications that are installed on them.

Given software running on a PC or server is a prime target, a rough count doesn’t cut the mustard.

Having true visibility of the potential attack surface means maintaining an exhaustive inventory of all IT assets. That task will be made significantly easier if the IT team is on side.

Having come together to determine exactly what they have – and the process that will be employed to keep the ‘asset register’ current – ensuring systems are up to date and patched is the next joint challenge for the CIO/CISO partnership. Both are important for optimal cyber-safety but the former is not likely to be something that’s within the CISO’s control.

Cooperation and a joint commitment to keeping things current, via automation, can ensure security staff don’t have to take part in the tail-chasing exercise that is patching out-of-date software.

Finally, working together to ensure appropriate security solutions are used to protect the enterprise’s architecture and systems is vital.

This is not always a given. Many organisations persist in trying to secure modern, highly decentralised mobile computing infrastructure with the tools of yesteryear. These have typically been designed for use in the mainframe and client server eras, when wifi was not yet invented and working remotely meant taking home a briefcase of papers, not logging on from the local Coffee Club.

Collaborating with the CIO on the selection of modern tools to address the unique security needs of the enterprise will maximise the effectiveness of the security budget and ensure systems are as safe as possible.

Differing priorities

It all sounds sensible and straightforward. So much so that it begs the question – why did the disconnect happen in the first place?

The answer is differing objectives; ones that put the two teams at odds, historically.

For CIOs, the ultimate objective and the key performance indicator by which they’d likely be judged was uptime.   

For CISOs, keeping business critical systems operating at speed was not a primary or even secondary priority. They wouldn’t be carpeted if the email system went down but would have been issued with a ‘Please Explain’, had the organisation suffered a preventable attack.

The result, in many organisations, was the formation of two camps. In the first, an IT operations team focused on keeping the business happy. In the other, the security crew whose default response to any suggestion a new application might be installed was likely to be ‘No’.

Singing from the same song sheet

The power struggle between the two camps may have been understandable – and liveable – in the past but pulling together for the good of the business is no longer merely a nice idea.

Cyber-attacks have ceased to be an inconvenience and are increasingly becoming an extremely expensive, perhaps even existential, threat for many enterprises. The collective cost of business disruption, legal and notification compliance, fines and compensation can run to millions, even before the unquantifiable cost of reputational damage is added to the tab.

Aligning objectives, processes, tools and resources to strengthen defences can mean the difference between successfully safeguarding corporate and customer data and becoming a statistic.

If resolving to work more closely with the IT team means less chance of the latter occurring, it’s a goal worth pursuing – in 2019 and beyond.