Remote working has opened a new can of worms, when it comes to cybersecurity. It has also exposed an attitude problem among security professionals.
“CISOs who have focused the design of their security controls environment based on risk levels associated with their organization’s unique business context and the current and emerging threat environment will not likely have to change their approach,” says Richard Addiscott, senior director for security and risk management programs at Gartner.
He argues that CISOs who already operate this way will have already recognized the impacts to their risk environment based on the change to their organization’s new operating model and will have adjusted accordingly.
“Security leaders who have not yet recognized the change that the shift to remote work might have on their current threat and risk environment may not have taken the steps necessary to protect their organization’s information assets. Therefore, they could be leaving their organization more exposed to cyber threats than they were when operating in a business as usual environment,” Addiscott warns.
The different attitudes also expose a wider problem of how closely CISOs and other CXOs, like CDOs, need to work together.
In the past, CISOs focused on security and safeguarding their companies’ assets. For CDOs, and development heads, they saw their security colleagues as barriers to innovation.
Addiscott believes that CISOs will need to change the way they work with other departments.
“A good CISO will recognize that their success will be linked to their ability to build positive and productive relationships across the organization. It’s highly unlikely they can be a lone wolf in any organization and expect to achieve optimal security outcomes,” he notes.
A proactive CISO will also realize that a good data architecture, supported by a strong classification and governance framework, will help them design the right security controls. This is made more vital as the two worlds of data privacy and security merge.
For example, good CISOs can explore having air gaps between different networks so that there is very little physical or digital contact. Like “for example, inside government agencies focused on their country’s national security,” says Addiscott.
“It all comes down to each organization’s risk appetite. If an organization has a close-to-zero risk appetite for some information to get into the wrong hands then having it ‘closed off’ from the world outside the organization is one of a number of avenues that they can take as part of a defense in depth security architecture,” says Addiscott.
More importantly, CISOs should become enablers of innovation, not barriers. “The relationship with the DevOps team is also critical, if they have a goal of embedding security and privacy into the organization’s digital environment from the ground up,” Addiscott observes.
Such a strong relationship can help CISO and CDOs to set up IT and security governance frameworks right at the onset of development, deploying new digital architectures or purchasing new digital tools.
“It is critical for CISOs to work closely with all parts of the business. The CDO/CISO relationship is key to ensuring that new digital capabilities are visible to the CISO and their teams. This allows the security team to provide advice early on in the development process to ensure that security and privacy can be embedded in a new system from the ground up,” says Addiscott.
In fact, Addiscott believes it offers the opportunity for CISOs to develop security controls that can be unique to their companies’ working environment.
This article is part of a CDOTrends eGuide. You can download the entire copy here.
Photo credit: iStockphoto/Ирина Мещерякова