Convergence of CIO and CISO Roles to Manage Cybersecurity Risks in the Enterprise
Cybersecurity spending continues to be at an all-time high and is expected to grow by over 10 percent to a whopping $96 billion in 2018, according to Gartner. Enterprises are constantly threatened by new, emerging cybersecurity risks such as cryptojacking, ransomware, data breaches, data exposure, phishing, among others.
Recent examples - such as the Equifax breach that exposed data of 146 million customers, or the Sony Playstation data breach that exposed Personally Identifiable Information (PII) data including credit card numbers of 77 million customers—all point to significant financial and business losses, threat of class action lawsuits, and subsequent damage to brand reputation that can take a severe toll and have long-term negative business impact.
Effective and resilient cybersecurity implementation requires close collaboration and alignment between the CIO and CISO orgs
Comprehensive root cause analysis of many of these attacks can be traced back to inherent weaknesses in code development processes, open source vulnerabilities, gaps in database and network security, and weak user authorization policies. For example, in the Equifax case, attackers exploited a vulnerability in one of Equifax’s application developed by an employee using the popular Apache Struts framework that was not updated despite availability of a security patch for several months. A single instance of unpatched software vulnerability caused this massive security breach that exposed personal details on nearly half of America’s population and resulted in the CEO to step down post Congressional hearing, in addition to massive financial losses due to lawsuits and customer churn.
As a result, many Fortune 1000 enterprises are now realizing that the responsibility to protect themselves from cybersecurity risks is a shared one between the CIO and CISO organizations. Historically, CIOs owned the IT roadmap and were responsible to deliver modern technology solutions to support and grow the business, whereas the CISO’s primary role has been to manage information security risk for the enterprise while helping the rest of the organization to deliver on business objectives. Today, these roles have emerged into being more symbiotic rather than adversarial and can deliver most optimal results by partnering together to protect valuable business and customer assets. For example, the CIO will need to ensure that security tools are well integrated into the application development lifecycle—right from design to deployment. The CISO can help the IT organization identify best-in-class security tools and services, and partner together to manage and mitigate cybersecurity risks.
Interestingly, the intersection of IT and cybersecurity is ripe for technology disruption, and a number of innovative startups have emerged in this space. One such startup is Contrast Security that provides a unique solution to help developers easily build secure software. Contrast also enables enterprises to block cyber-attackers from exploiting run-time vulnerabilities both in frameworks like Struts and in custom application code. Another example is Synack that provides a crowd sourced security testing platform that provides a comprehensive solution including vulnerability scanning and discovery, risk scoring analytics, compliance checks, and remediation advice while leveraging a private network of highly curated, best-skilled, and vetted security researchers across the globe. These startups are helping enterprises successfully bridge the chasm between CIO and CISO orgs by ensuring that applications are built and managed with a “security-first” mindset.
In conclusion, effective and resilient cybersecurity implementation requires close collaboration and alignment between the CIO and CISO orgs. Enterprise security is a shared business vision and should be considered core part of the company’s strategy and culture, and a shared responsibility across the entire organization.