As the risk and potential impact of information security breaches have increased, information security has become an integral part of many corporations’ IT strategies and thus a large focus for Chief Information Officers (CIO). This is especially true given the ever-closer media scrutiny of cybersecurity issues.
In recent years, many corporations have added a Chief Information Security Officer to their corporate governance structure and removed them from the oversight of the CIO, having them report directly to the CEO instead or elevating them to the board. However, many of the measures required to combat information security threats are in the IT field and it remains a natural place of management for the CIO. Segregating information security away from the CIO can bog teams down in inter-office politics, paralyse decision-making and hamper the development of an integrated, cross-department security strategy.
We contend there is a natural role for CIO in developing and implementing information security measures. Here’s how CIOs can navigate the governances challenges and manage information security in their corporations.
1. Develop a long-term, cross-silo strategy for handing information security matters
The CIO is well placed to implement a long-term, proactive strategy to bolster security—to replace the audit-driven, compliance-focused strategy that prevails in many corporations, simply reacts to threats exposed by catastrophic breaches, regulators, auditors or the media.
Such a strategy will include tactics of both prevention and response. All departments involved, including IT, HR and legal, should be aware of their roles in delivering this coherent, cross-company strategy, reporting to the CIO.
2. Involve board members in information security matters
Developing and implementing a long-range information security strategy requires the support of the board of directors—both for the long-term funding commitments and for the clear and unambiguous vision which can trickle down to all spokes of the corporation, especially ones with many operational divisions and geographic locations.
The CIO should emphasis to board members the gravity of information security issues, which they often overlook, preoccupied with flashier geopolitical and financial risks, and or believe are low risk and low frequency.
Board members are becoming more alert to cybersecurity issues, particularly those hammered by the media and politicians, but the CIO needs to convince them that not all threats are external, or even all delivered through the internet. Measures are also needed to ward against internal threats and leaks.
3. Close the gap between security and technology
The CIO also needs to look within their own department for attitudes that may be leaving the company exposed to information security risks. Technologists within the IT department are likely to prioritise delivering functionality and may see security measures as constraining their work or take a tick-box approach to them.
However, IT systems and strategies need to be developed with constant vigilance to security measures. This may be achieved by appointing a CISO who is capable of both addressing short-term tactical problems arising from security breaches and delivering the long-range security strategy developed by the CIO and the board. It’s thus essential that the CISO in this role report directly to the CIO.