To Andy Ellis, the role of chief information officer (CIO) is a “dead-end job.”
Ellis would know. He has worked in information security at organizations as diverse as the U.S. Air Force, built Akamai Technologies into an internet giant, is currently an operating partner at YL Ventures, which funds and supports cybersecurity ventures, and an inductee into the CSO Hall of Fame.
As the cybersecurity veteran sees it: “Security will be embedded everywhere” in the near future. Because of that, he says, “the CIO job will go away as a separate C-level position” and be merged with the role of the chief information security officer (CISO) as a job function.
That’s just one expert’s opinion. But such a pronouncement is sure to rile the already problematic relationship between the two professions and their respective teams. Here’s why: For years now, the fiefdoms of IT operations and cybersecurity have been at odds.
While both are tasked with protecting their organization’s networks and endpoints (which can include tens of thousands of laptops, PCs, tablets, and virtual machines in the cloud), IT wants to make sure they run smoothly while security wants to make sure every single one is locked down.
From this simple dichotomy, a rivalry was born, and it can threaten the cybersecurity and overall health of an enterprise.
CIOs and CISOs have “different objectives, and that can be a major challenge,” says Duncan Miller, director of endpoint security at Tanium. Getting them to agree on the metrics of success is one the biggest hurdles in unifying the two departments.
“The two teams are being measured for different goals,” says Miller. “Your IT organization is charged with keeping things up and accessible. Your security team is there to make sure they’re being used properly and that they’re not accessible to folks who shouldn’t have the appropriate access. There is an inherent conflict between these roles and in making sure people are aligned.”
Taming a vastly expanded and complex threat landscape
Like everything else, the pandemic and the rapid shift to remote work are changing that dynamic. Today, distributed workforces—where each employee has at least one device that connects to the corporate network over the internet—have compounded the challenges for both IT and security.
There is an inherent conflict between these roles and in making sure people are aligned.Three-quarters of the more than 3,000 security, business, and IT executives that accounting firm PwC queried for its 2022 Global Digital Trust Insights Survey report too much complexity in their technology, data, and operating environments. That, in turn, has led to too many blind spots.
As a result, IT teams often lack visibility into as much as 20% of their endpoints. That means those devices can be misconfigured, lack software updates, and have unsanctioned apps on them, all of which can lead to poor performance for the user. Those same things are
To improve endpoint management and productivity, and to secure those endpoints against threats, both teams first need a 360-degree view of all those assets, not just a partial view. Security can’t be an afterthought. “If you build security later, it’s going to fail,” says Miller.
The emergence of a single leader for IT ops and security
To patch the rift, the fiefdoms must unite or at least work from the same real-time data, which can be achieved through a converged endpoint management platform that unites their interests and tools. Those should include asset discovery, risk and compliance management, sensitive data monitoring, and threat hunting. Uniting the two leaderships has both its upside and downside.
“Merging is an interesting structure” that needs to be considered, as it could help organizations be more productive and secure, says Ellis, who serves as advisory CISO to cloud specialist Orca Security. “However, [in combining the leadership], there’s a risk you can lose the perspective of someone who is solely focused on how risk technically operates.”
Wim Remes is a board member of (ISC)², the international nonprofit that trains and certifies cybersecurity professionals, as well as managing director at Damovo Security Services, which advises organizations on cybersecurity best practices. He is not convinced that IT and security belong under one leadership. “Their goals are too different for that to be successful,” he says.
For example, IT focuses on “availability.” If a system goes down, the business impact is direct. So an IT operations team may choose to leave a vulnerability unpatched if fixing it might crash the system. Security is focused on protecting the integrity of the whole system and the data it processes and stores. If a security leader reports into IT, leadership there will almost always prioritize business availability. That makes the full unification of IT operations and security a challenge: “Security is focused on all of the functions,” Remes says.
He believes a strong security program begins with a well-implemented IT strategy. “Many highly sought-after security capabilities in large organizations rely on strong asset management, configuration management, application security management, and patch management, which are all IT functions,” he says. “IT and security should work together to identify and mitigate risk.”
Breaking down IT and security silos
Today’s business environment means that a security strategy can only be successful if it works in sync with IT operations. The need now is to adopt a “converged” management approach. That means operating across silos, as one team.
IT has a massive punch list of its own. A security team with the same end goal can help with that.Experts say it is entirely possible to sync the two teams, since their ultimate goals are the same. “Security finds the problem, but ultimately IT has to fix the problem,” says Allan Alford, CISO and CTO at TrustMAPP, a cybersecurity performance management firm. “IT has a massive punch list of its own, and a massive list of priorities, and they’re only able to allocate a certain amount of resources. A security team with the same end goal can help with that.”
The challenge, though, can come down to different views of time. The security team might want to see everything fixed overnight, Alford says, but IT cannot always accommodate that kind of rapid timeline. Sometimes an upgrade isn’t possible because the person who wrote the software is no longer with the company, or a piece of commercial software has been discontinued.
Simply getting security and IT in the same room to hash out solutions won’t necessarily solve the problem, especially if the leaders have different leadership styles. The CIO can sometimes be forced to choose between two warring tribes.
Often, security will get sidelined in favor of another department that is more directly related to the financial goals of IT. “The success of IT is measured by what they don’t spend,” says Alford. “If security is folded into IT, it may be pressured not to spend, when what is really needed for security is to spend money. You don’t want to see security quickly getting marginalized by IT.”
Getting IT and security to work together on an identity and access management solution
Alford offers a case study. At his previous job as delivery CISO at NTT Data Services, he oversaw 50,000 people around the world. His team lived in both urban and rural areas.
At the start of the pandemic, he faced a global challenge just getting staff the right computers for the right situation and providing people in rural areas with reliable internet access. “We had a wide variety of scenarios, and IT and security had to work together to get through that,” he says.
To help make it work, the two teams united under a common identity and access management solution. “Traditionally, identity was managed by IT,” says Alford. “We saw it was integral to the security apparatus, since every security tool we had centered around an identity and access management solution. So security ultimately took that over, with cooperation between the two departments.”
The teams deployed a secure access service edge (SASE) solution to connect data flowing from centralized data centers to a range of services in the cloud. The company also ensured it had endpoint management protections in place when employees accessed the cloud.
Preparation, notes Alford, is the key to uniting security and IT in
the perimeter-less world of a far-flung, hybrid workforce. Be prepared with the right tools in place, he recommends. Break down silos, but keep experts in place at the top who truly understand their team’s function.
“It shouldn’t matter if somebody is at Starbucks or if somebody is at home,” he says. “The infrastructure has to be there to accommodate the lack of boundaries. It all can be done. The key is to have a ton of coordination between IT and security.”