Recently, we published an article on the importance of the CISO and how essential this position is for countering security threats. Companies that prepare their top information security officers for success through collaboration and decision-making power, we argued, situate themselves for the best response to outside attacks going forward. Technology leaders recognize the importance of strong security policies, and directing their strategies through the CISO role is one of the best investments that organizations can make.
Although high-profile security breaches that originate outside of organizations usually drive headlines and awareness, many of the challenges that face technology leaders are structural, or institutional in nature. In other words, many security risks are rooted in company cultures or organizational structures and present unique obstacles. Quickly responding to specific viruses or one-time attacks demand a great deal of time from technology leaders, but the challenges that confront them from a structural perspective are often the most difficult to uproot.
One of the biggest structural challenges facing technology leaders’ security efforts is a lack of focus from executive leadership. Another is internal threats: both intentional and unintentional vulnerabilities from company employees are extremely difficult obstacles to overcome. Finally, the size and scope of company operations create security risks simply through the sheer volume of systems and programs that many organizations depend on for daily business.
Lack of Focus from Leadership
If a unified approach from the C-level is one of the best approaches to information security, then a lack of cooperation at the top levels of leadership can be disastrous. Fortunately, good executives usually recognize how important a strong security approach is and make sure that the technology leaders responsible for an organization’s strategy have necessary authority. At the same time though, there is strong evidence that some lines of business leaders are largely unconcerned with security, or, worse, view measures in this area as a waste of resources. Heightened awareness of security risks has not always translated to more leadership involvement in recent years.
Technology leaders understand the cost and importance of security measures well, but a surprisingly high number of business executives think that these strategies are not worth the time and resources they demand. Writer David Bisson wrote on this mindset recently, citing survey data that claims 27 percent of business executives view security measures as having negative return on investment. While it is true that keeping companies safe from attacks is one of the most cost-intensive tasks of an IT department, short-minded reactions reveal either a lack of awareness or a lack of concern about imminent threats. In either case, a lack of executive concern or attention is crippling to technology leaders and can keep CISOs and CIOs from ever rolling out a robust security approach tailored to the most pressing vulnerabilities.
While technology leaders may be hurt by indifference or negative attitudes from top levels of leadership toward security, it’s clear that the best CIOs and CTOs understand the importance of this issue. Security is a constant topic of conversation in our interviews with current technology executives: HMSHost’s Sarah Naqvi told us that this priority forms a large part of her current initiatives, and OneAmerica’s Gene Berry said, “[Security is a] big issue for all CIOs, regardless of the business you are in. With all the different types of malware and numerous hacker groups, the risks and threats are constantly evolving.” Prioritization from technology leaders has done much to raise awareness and collaboration, even if recent data reveals that there is still a great deal to be done to secure organizations.
As frightening as outside attacks often are, CIOs and CISOs also face direct security threats from within company walls. While there is a worthwhile distinction to be made between purposeful attacks (or actions performed with malicious intent) and security breaches that happen because of inattention (such as an accidentally leaked password), the reality is that both situations pose huge risks for companies. Technology leaders have long worked to establish best security practices among their teams – often with success – but internal security challenges continue to persist.
Internal threats often present some of the most pressing security challenges for leaders. “The most dangerous aspect of insider threats is the fact that the access and activities are coming from trusted systems,” Marc van Zadelhoff wrote for the Harvard Business Review, “and thus will fly below the radar of many detection technologies.” In addition, keeping multiple internal teams across an enterprise aware of threats and vulnerabilities is a massive undertaking, especially when dealing with teams outside of IT functions. All too often, internal efforts are an uphill battle for CIOs and CISOs.
Internal security threats often demand extreme responses from technology leaders. One such approach is a “zero trust” strategy, a tactic that tries to anticipate all possible threats before they surface. Grace Murphy wrote on this approach for Security Intelligence, arguing that it often includes initiatives like continuous activity monitoring, segmented data networks or investing in the latest technology. Large initiatives like “zero trust” help prevent inside threats, but internal vulnerabilities will likely still present enormous challenges to technology leaders in the coming decades. Extreme responses can seem like an overreaction at first glance, but the gravity of these internal threats dictates proportionate strategies to counter them.
The Scope of Company Operations
The size and scope of business operations can also create security flaws. Even small organizations typically rely on multiple programs to conduct business every day, and each one presents a potential vulnerability that a CIO, CTO or CISO must be aware of. At larger companies, the burdens of keeping every internal system secure become even more challenging.
The specific risks caused by company size and operations vary greatly by industry, but their consequences are serious everywhere. Banks, or any organization that deals with a great deal of financial data, must make sure that every system that tracks transactions or user information doesn’t allow unwanted access, while companies that make internet-connected devices have to guarantee that they don’t create new vulnerabilities while rolling out products. Whether in finance, education, healthcare or any industry with sensitive information, companies bring many different software programs and systems together under a single umbrella and it falls to their technology leaders to guarantee security.
Much like the other challenges listed here, company operations aren’t an impassible obstacle for security. Technology leaders who can adequately determine software needs and solutions across company platforms will succeed, as the best leaders demonstrate. In a successful example, CIO Don Anderson said in an article, “Having people on our security team who understand the business and their goals has been very beneficial. Today, our business lines are immediately engaging security when they have an idea and are talking openly about how appreciative they are for security’s help.” Nevertheless, it remains incumbent on the best technology leaders to invest company resources diligently to monitor the full scope of their organization’s needs.
There are many security threats beyond the challenges discussed here. As the world of information technology continues to shift and evolve, there will always be new risks that challenge even the best CIOs and CISOs. However, it’s worth looking at these three specific obstacles because they all represent challenges from the organizational side of security, rather than specific attacks that may quickly evolve or disappear over time. As such, these structural challenges are barriers to effective security policies that have persisted much longer than some of the newer viruses and schemes.
Technology leaders who spoke with the National CIO Review have taken many steps to effectively barricade their organizations against both internal and external threats. Beth O’Rorke of Blue Cross Blue Shield of Massachusetts said that “We have made dramatic steps forward to secure our foundation and continue to put key capabilities in place.” Dennis Yang of the MPAA told us, “One of the most important goals for any CIO is security. To that end, we have been looking at the next generation of firewall, antivirus and DDoS protection.” There are nearly countless examples of good security practices by industry-leading CIOs, and these leaders show ways to address external, internal and structural challenges to their goals.
Many of the obstacles discussed here may grow less serious with time. Business leaders are increasingly willing to invest in security measures, even if the percentage of those who view such efforts as wasteful is still alarmingly high. In addition, increasing technology skills across all functions of business should alleviate the threat of internal security breaches. Finally, increasing sophistication of security tools may help CISOs secure all operations. Security risks will always be present, but the best technology leaders will continue to lead their businesses forward.