Having had the privilege of working in several different industries I have learned the importance of alignment both of teams and in organizations. The alignment of Information Technology has always been all over the place. Some companies have IT aligned to Finance, others to Operations, odder still some align IT to Legal. I am aware the alignment struggle for IT has always been caused by organization’s “fear” of anything technical. What is odd is that this fear does not manifest itself into CEO’s wanting a direct interface with an area of their business they know will have a dramatic impact on its viability.
Security is a little different, however. Security is not about technology at all; contrary to the understanding most people share. Great security is about protecting people and the processes they use to perform their work. Good technology is about their workstyle and how those people and processes interact. Secure the processes, make the people aware, ensure their workstyles are supported and voila – you have a lasting security culture that is technically driven with room for unencumbered and continuous innovation.
Sure you have to manage the technology (you always do), but the technology does what you tell it to; people not so much; and processes tend to be driven by the limitations of the technology which is an indicator of bad tech. When process is driven by bad tech people find workarounds to support their workstyle (like using a personal Box account for file sharing) which is where security risk comes into play. This is commonly referred to as “shadow IT” and usually occurs when technology leaders are not integrated in every facet of the business.
Why are security leaders still reporting to risk, technology, or financial leaders who have a different set of objectives entirely? While cyber concerns are a risk to a business, risk leaders often lack the operational experience necessary to lead security teams making them purely administrative with a desire to let their CISO do their jobs unencumbered. Financial leaders simply have too much on their plates already so the same happens. You can make the argument that technology leaders are concerned with ensuring technology deployed is secure, but security from the strategic sense is a discipline on its own. And being a technologist does not make you a security expert, but in most cases, you need a security expert who understand technology at a level deeper than cursory. So with all that being the case, why aren’t more Security executives (in particular) aligned to their CEO?
CEO’s who are serious about protecting the information of their customers and their employees should have both a CIO and a CISO or CSO reporting to them directly. Primarily because neither discipline is technology-focused anymore; they’re both business-focused, and in just as good a position to help a company grow and improve as an Operations Officer, Financial Officer, or Marketing Officer – all staples of the executive office.
Businesses who prefer to position their Information & Security executives behind other leaders tend to miss out on the innovation those different perspectives can bring…and these days, innovation means the difference between your company being yesterday’s leader or tomorrow’s trend setter. In my opinion, today’s CEOs should fear the conversations they do not hear involving security and technology.
Remember this…every CEO is forced to get cozy with their CIO/CISO/CSO when things go wrong, or something gets hacked. A more proactive approach might be having those resources at the table when decisions are being made instead of when decisions are thrust upon the org for survival or recovery.