Recently, I published an article exploring the reasons why the CIO Will Report to the CISO. The premise was that it makes more sense to align core infrastructure under the CISO, allowing the CIO to focus on business processes and applications that make the business more efficient.
It was a mistake when CIOs created the CISO role and then moved it out of their organisations. This is because, collectively, CIOs missed an opportunity to take responsibility for security when the CISO role was created, and then quickly moved outside the CIO organisation. If CIOs had taken ownership of security and evolved their organisations, there would have been no need to distinguish them from CISOs, let alone create two separate organisations: one for IT and one for security.
Information security has historically been a function of IT. Like other IT functions, the business value comes from the product you buy and people are required to administer the product. CIOs purchased a suite of security products from vendors as part of the overall network architecture, similar to routers, switches and email servers. Those products quietly and reliably provided services such as endpoint antivirus, network traffic monitoring and application-level proxies.
Security as an administrative IT activity was sufficient for many years. The predominant threats were opportunistic attackers, who monetised their access based on scale. The attackers did not care which computers they compromised, they simply wanted many of them to use for click-fraud, spam and other Internet-scale activities. Their presence in enterprise networks was inconvenient, but largely irrelevant to the business since the primary financial impact was to third parties.
The combination of these two characteristics meant traditional signature-based endpoint antivirus was good enough: the large footprint of successful attackers’ would get them signatured and blocked; less successful attackers were just “noise” that the business managed. Now, threats are evolving.
In the late 1990s and early 2000s, governments around the world experienced a series of repeated and targeted attacks. These attacks were not focused on stealing computer cycles, but on stealing information: heavily focused on weapon systems design, development and capabilities.
Since these attackers were not interested in scale of access, but precision of access, endpoint antivirus was not effective. These attackers, if detected at all, rarely exceeded the “noise threshold” of antivirus companies to justify distributing signatures. As a result, these attackers were able to bypass security products at will and remain undetected inside compromised networks, often for years. Since attacker focus was the organisation’s critical data, their presence was no longer irrelevant, but presented a clear and persistent danger to the organisation’s objectives.
In the early 2000s, all products from all vendors failed to recognise the threat of targeted attackers and provided little to no meaningful mitigation capabilities. As a result, departments of defence invested not in new products, but in the people and processes employing existing products.
These departments developed an operational model that included protection, detection and response as equally important activities in a continuous operational process. In doing so, they demonstrated a distinct shift away from the best practices of the time: practices that had depended on products for protection, with detection and response as ad-hoc activities in response to specific incidents.
In the late 2000s and early 2010s, the objective of targeted attacks broadened from mostly espionage into crime. Attacks against commercial businesses increased, and focused on stealing data that could be easily monetised such as credit card numbers and personally identifiable information. The shortfalls of vendor security solutions became apparent through repeatedly successful compromises. Commercial businesses began to intimately understand the lessons learned by departments of defence a decade earlier.
Businesses began promoting security from a mid-tier manager in the CIO’s IT organisation to the CISO. In many businesses, the CISO’s IT oversight role was used to justify moving the CISO position out of the CIO’s organisation reporting to the CEO or another CxO.
Security Operations Emerges
CISOs began to recognise that the value to the business did not come from the products they bought, but from their people. Products are only a tool in their team’s toolbox, supporting the team’s operation. People are not hired simply to administer the products, products are purchased to support the people. Today, a Security Operations Centre is becoming a generally accepted requirement for any large organisation’s security, digital asset protection and data stewardship responsibilities.
When commercial industry adopted the department of defence’s (DoD) security approach, we took the model for DoD security operations but not for the organisation. Departments of defence do not have separate IT operations and security operations leaders. They do not invest in their security operations independently of their IT operations. They invest in improving the operational discipline of both their IT and security programmes simultaneously.
We took the model for DoD security operations, but not the organisation chart. When we pulled the CISO out of the CIO’s organisation, this was a mistake. We wrongly prioritised the CISO’s audit and oversight responsibilities over security operations responsibilities.
CISOs are learning that operational discipline and rigor adds more security value than audit, oversight or compliance activities. Unfortunately for organisations that split the CISO and CIO organisation, the operational discipline of security programmes is maturing independently of the CIO’s traditional IT operations.
Today, the CISO’s security operations teams are gaining discipline and rigor from a painful but effective feedback loop, thanks to constant testing by attackers. In many cases, the growing maturity is independent of traditional IT operations activities that are still owned by the CIO.
CISOs are finding that IT basics such as network management, asset management and patching are critical to secure operations, but that in many organisations they are poorly managed. It is impossible to secure an enterprise network when the organisation cannot handle the basic blocking and tackling of IT.
The next major step in security is growing the same discipline in our IT operations that we have in our security operations. You cannot fix the problem by simply buying a new next-generation product, or a new deep learning artificial intelligence gizmo. It takes a combination of people, processes and products. The organisation must be constantly improving. No vendor’s product can overcome your team’s lack of operational discipline.
CISOs with mature security operations teams have already recognised this; their teams have the momentum built and are gaining rigor daily. However, they are building security programmes on top of the core IT infrastructure. The overall security of your network is only as good as the weaker of your security and IT programmes. The value of new investment in security operations will decline unless the IT operations also mature.
If you are a CISO, your responsibility is the security of the company. Be the torchbearer for extending your operational culture throughout the technology organisation, deepening your partnership with the CIO. Your risk, audit and compliance responsibilities require some independence, but compliance does not make your company secure. Do not let those functions create an “arms length” mind-set in yourself or your teams.
If you are a CIO, you need to start operationalising your IT activities. If you do not act now, investment in security operations will no longer bring meaningful security value because your IT operations are not equally disciplined. If you do not act now, the business will have no choice but to transfer ownership of core IT functions to the CISO. If that conversation happens, the reporting chain conversation will follow.
As you plan your company’s approach, I urge you to keep past mistakes in mind. Do not try to mature security operations and IT operations independently. Building an operations centre from scratch takes a lot of time; building two separate operations centres that must closely coordinate activities is poor leadership and does not set up your team for success.
I titled this article “The CIO will report to the CISO.” In truth, our situation could also be summarised as “The CISO should never have reported to anyone but the CIO.” “The CISO should not exist” is another potential interpretation.
We are still very early in the development of security as an independent corporate discipline with board-level visibility. Many organisations have not yet prioritised security to this level, and there is a lot of diversity amongst those that have.
Whatever organisational construct fits your company, note that operationalising security is more important than compliance and oversight activities. Furthermore, operational maturity must be applied not only to security-specific activities, but also the traditional IT activities.
J.J. Guy is the Senior Director of Cloud Engineering at Carbon Black
Image Credit: ESB Professional / Shutterstock