Defensible Tech TeamNovember 3
Trends can be hit-or-miss. While most evolutions of security and vulnerability management best practices can lead to stronger security, not every trend is worth following. What’s most important is to think critically about these trends and decide whether they will actually put your company in a better position to stay secure.
Some current trends are threatening the independence of information security from the IT department. This includes the rise of managed services providers (MSPs), who work with companies to implement and manage their IT infrastructure, offering security services. Another trend is Chief Information Security Officers (CISOs) reporting to CIOs, instead of allowing CISOs to operate as true, independent C-level executives.
These trends both contravene a fundamental concept: that a security program led by an experienced, independent CISO builds the strongest foundation for security. A CISO brings a full range of expertise - both the data security experience and business know-how - that’s necessary for designing, executing, and guiding a security program. Though information security policies and programs are closely linked to IT infrastructure and initiatives, they touch other parts of the business as well. No matter the current trends, a security program led by an independent, expert CISO puts your business in the best position to secure valuable data.
On the surface, the trend might seem efficient, because an MSP that has an existing relationship with a business has knowledge of that infrastructure. Information security ties closely to IT infrastructure, and in many cases information security policies and best practices dictate how IT infrastructure must be configured. However, there are core differences between managed IT services and security experts. These differences, which encompass both expertise and approach, mean that MSPs cannot provide security services as strong as those led by security experts.
MSPs have strong experience keeping IT systems up and running. This means that MSPs focus on the availability of data and the administration of IT assets. That experience makes them valuable partners for tasks specifically related to infrastructure availability.
However, strong security requires different expertise and a different approach. Though IT infrastructure and information security intersect, security also requires other realms of expertise. Those include:
The threat of data breaches also ties into a fundamental difference in approach between an MSP and a security team. As MSPs focus on data availability, a security team must focus on data security. Even though availability to the people who need the data is part of a security plan, a security team needs to prioritize keeping data out of unauthorized hands.
Because of these differences in experience and approach, an MSP cannot provide services as well-tailored toward keeping your business secure. Those fundamental differences make this trend of MSPs offering security services one to avoid. It makes more sense for your business to work with a CISO, a dedicated expert in information security, to guide the program.
A security program led by a CISO puts your business in a better position to stay secure. A CISO has a full range of executive and information security skills to lead a best-in-class security program. Those skills include designing security programs, evaluating data protection practices and vulnerability management, performing security due diligence, leading security and compliance initiatives, evaluating data protection practices, and speaking with regulators. This ensures that both the abilities and the approach of your security program remain focused where they need to be: on securing your business.
We’re seeing this trend more and more, and debate is as lively as ever over whether the CISO should report to the Chief Information Officer (CIO), or whether the CISO should be a full member of the C-suite. As it pertains to the former - CISO reporting to CIOs - this is not a bad thing. At Defensible, we’ve even participated in this reporting hierarchy. What’s important is to recognize that CISOs reporting to CIOs does create the potential for CISOs to yield their autonomy to CIOs, which is a less-than-ideal setup.
Businesses where the CISO reports to the CIO often see information security as an extension of information technology. Despite some companies’ conceptions of the CISO as a director of information security who operates under the auspices of the information technology department, risk is a more holistic concept than just IT. It involves questions of liability, finances, human resources: all facets of the business. Ideally, businesses put themselves in the strongest position to address risk by giving CISOs full autonomy.
Requiring CISOs to report to CIOs can create a conflict of interest. In theory, CISOs and CIOs should share the goal of continuous business operations. However, they approach business goals from different angles. CIOs focus on implementing and managing IT infrastructure. Those goals do need an advocate within the enterprise, but they can create tension if tied inextricably with security leadership.
If CIOs sit above CISOs in the organization chart, security concerns could be minimized or overridden by other IT initiatives or timelines. Though security solutions must be usable, they also need to be thoroughly thought out and tested by a team with expertise in security matters and vulnerability management best practices, and whose goal is to ensure the business is in the best possible place to resist threats and keep data secure. Independent executives leading independent teams assure those goals will lead to the most balanced way forward.
Businesses with a CISO who reports to either the CEO or the Board, and not the CIO, also have a more holistic view of risk. With a seat at the table, the CISO can discuss with not only the CIO, but also other parts of the company, about the data security ramifications of business decisions. Other parts of the business are more likely to give security concerns time and consideration on their own merits if the CISO can reach out to leaders across the business, instead of risking being dismissed as part of the IT department.
An independent security program led by a CISO who reports to the same level as other C-level executives puts your business in the best place to resist modern threats. A CISO brings your business the level of deep experience in both security and business that you need to execute successful security initiatives and stay competitive.
Even if your company is a small-to-medium-sized business that has yet to hire a CISO, size is no longer an obstacle for bringing in CISO leadership. With a virtual CISO (vCISO), experienced security leadership is available to businesses of all sizes. A vCISO can bring a CISO with more experience than would normally be available to a small- or medium-sized business, who can provide flexible, cost-effective security leadership. Contact Defensible today to learn more about how to bring experienced security leadership to your organization.