By Linh Lam
IT and security teams have been at loggerheads with each other for far too long. In the age of digital transformation, it’s time the two groups set their differences aside and increase collaboration.
In today’s corporate landscape, the relationship between Information Technology (IT) and security departments often mirrors a tangled web, marked by conflicting objectives and strained interactions.
Yet, as digitalisation accelerates across all sectors, amplified by the lasting effects of the COVID-19 pandemic, it has never been more crucial for Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and other digital technology leaders to align their strategies for the greater good of their organisation.
As we witness an escalating digital race in every industry, the need to harmonise the divergent missions of IT and security has become paramount. So, what are the conflicting perceptions both teams have against each other? And how can business leaders optimise this divided relationship that has persisted for the last decade?
The conflicting views of IT and security teams
Traditionally, these two departments have functioned as separate entities with distinct roles. IT, under the stewardship of the CIO, has primarily focused on the swift delivery of digital services to maintain a competitive edge and ensure customer satisfaction. Simultaneously, the security team, led by the CISO, has been dedicated to identifying and mitigating potential security and privacy risks inherent in these services.
This dichotomy often results in tension within organisations. IT professionals may perceive security teams as the “Obstruction Bureau,” while security professionals may view IT teams as reckless, prioritising speed over safety.
Further complicating this relationship is the evolving role of both the CIO and CISO. Both are transitioning from being mere technology specialists to becoming integral business strategists. CIOs, once tasked with delivering IT services efficiently and cost-effectively, are now expected to spearhead digital transformation efforts and stimulate revenue-generating innovation.
Similarly, CISOs are growing into business leadership roles. According to a Gartner report,1 CISOs are now “key enablers of digital business”, responsible for balancing the associated risks and benefits. They achieve this by assessing, prioritising, and enhancing an organisation’s security posture.
Unless organisations carefully devise a strategic plan that recognises and integrates these evolving roles, they risk instigating territorial disputes, budget conflicts, and operational confusion. Here are four key strategies that every business leader should leverage to bridge this gap and eliminate this divide.
Overcome the “us and them” attitude
It is vital to nurture a partnership mentality between IT and security teams. Both teams need to understand the importance of each other, in order to get ahead of this ‘‘us vs them’’ mentality. Business leaders must communicate the necessity of each team to one another. For instance, the IT team needs security to ensure that the rapid development and deployment of applications do not compromise the organisation’s cyber defences.
Conversely, security teams need to rely on the IT department as a valuable source of cyber risk information. Working closely with the IT team will allow the security team to gain critical insights into the organisation’s cybersecurity and productivity needs.
It’s also important to recognise that effective cultural change often emanates from the top. Thus, CIOs and CISOs must pioneer efforts to foster open communication and collaboration.
Look beyond organisational charts
A PwC report2 revealed that while 40% of CISOs report to a CEO, 24% report to the CIO, and 27% report directly to the board. The reporting structure can vary depending on the company size, industry, and specific organisational needs. While it is commonly believed that having both the CIO and CISO report to the CEO promotes collaboration and reduces friction, there is no universal formula for success.
In some cases, it’s more practical to have the CISO report to the CIO, because security requirements should be the first consideration for any IT initiative. Having CISOs report to CIOs complements this consideration, and it also ensures that the IT teams don’t miss out on any security-related insights.
On the other hand, if the business is in a highly regulated industry, such as financial firms or retailers, reporting directly to the General Counsel’s office makes more sense.
Regardless of which approach you choose, the end goal should be to align risk management with business objectives, and the reporting structure should facilitate this.
Initiate early collaboration
Conflicts often emerge due to the perception of security as an afterthought, a final hurdle to be cleared after the IT department has put in significant effort in developing an innovative software or system. This view can lead to the IT team feeling unduly delayed and frustrated by the sudden intervention of the security department, wielding their red pen with what may seem like reckless abandon.
Conversely, the security team might feel as if they are being thrust into a high-stakes situation with little forewarning, forcing them to scramble to secure a vital new piece of architecture just days before its planned launch. Scenarios like these breed resentment on both sides and the resulting conflicts only serve to harm the organisation they’re both striving to improve. It’s the corporate equivalent of building a house only to discover too late that it’s not structurally sound.
The solution to this issue is ensuring that the IT and security departments work in tandem right from the start. This means that from the moment an application is ideated, through the stages of architecture design, up to the final review stages, both teams should be in close collaboration.
By adopting this approach, the necessary due diligence regarding potential vulnerabilities and risk exposure can be completed upfront. As a result, security becomes an inherent part of the resulting product or project, rather than an afterthought. This process is encapsulated in the DevSecOps approach, where security is intertwined throughout the development lifecycle instead of being a final checkpoint.
Integrating security into the development process at the outset can mitigate risks, prevent late-stage disruptions, and foster a more collaborative culture between the IT and security departments. It can also lead to the creation of more robust and secure digital solutions, enhancing the organisation’s resilience and credibility in the long run.
Elevating CISOs as Leaders in Risk Management
In today’s complex digital landscape, the nature of security demands has drastically shifted. The role of the CISO must transform accordingly to match the evolving demands of the digital age.
Security has transitioned from a purely technical function to a more integrated component of organisational risk management. Given that cyber risk intersects with every facet of an organisation, it is critical to treat it as a strategic business function, rather than a niche technical concern.
Therefore, it’s essential to empower CISOs to function as central figures in managing risk across the business. This involves giving them a seat at the strategic decision-making table, allowing them to work collaboratively with their CIO counterparts, rather than in opposition.
With CISOs positioned as leaders in risk management, they can provide vital insights into potential risks and their impact on business operations. This would not only strengthen the organisation’s overall security posture but also facilitate better alignment between IT and security objectives.
When CIOs and CISOs operate on the same level and from the same playbook, they can collectively lead their teams to bury past grievances and work together effectively. This collaboration is integral to the successful digital transformation journey of any organisation, enabling them to navigate the complexities of the digital landscape more efficiently and securely.
In conclusion, the integration and alignment of IT and security is a strategic imperative in today’s digital business environment. By fostering a collaborative culture, promoting flexible organisational structures, encouraging early and ongoing collaboration, and empowering CISOs as risk management leaders, businesses can bridge the divide between these two crucial departments. This, in turn, can enhance their competitiveness, improve their resilience, and ultimately drive their success in the digital age.
About the Author
Linh Lam is responsible for leading Jamf’s information technology and solutions while continuing to help the company grow. Linh joins Jamf from ICE Mortgage Technology as their SVP & Chief Information Officer. Linh holds a Bachelor of Arts degree from Stanford University.
References
- CISO for Digital Business. N.d. Gartner. https://www.gartner.com/en/cybersecurity/role/chief-information-security-officer
- A C-suite United on Cyber-ready Futures. N.d. PwC. https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights.html