Desire for gain. Fear of loss. These are the things that motivate us as humans. People do things based on what's in it for them, and I can't think of any role in business today that this applies to more than that of CIO.
Being charged with keeping the IT shop running while also being held responsible for enterprise security leaves many chief information officers (CIOs) caught between a rock and a hard place. Mix in a little pride, some politics and an economy filled with unknowns, and the people normally responsible for all things IT are now having to change their approaches. And it's not necessarily in the best interests of the business.
One of the best things you can do is to establish some allies outside of IT.
I've heard countless stories from network admins, software developers, information security managers and others about how their CIO continually works to undermine what everyone knows needs to be done with enterprise IT security. The budget is there, but no money can be spent. The risks are there, but no one is acknowledging them. The technologies are available, but no one's implementing them.
CIOs certainly have plenty to worry about in today's business environment, and I can't quite imagine what it's like to sit at their desks and take on their challenges.
For most of my security-assessment projects, the CIO is not the person hiring me to do the work. It's often the chief financial officer, operations manager or director of internal audit. These people outside of IT want to (and often have to) make sure that the CIO is indeed doing what needs to be done to keep IT in check.
The problem is no self-respecting CIO is going to want someone -- especially an outsider -- to come in and call his baby ugly.
If your CIO ends up creating hurdles for you and what needs to be done with enterprise security, don't give up. Businesses need people who are willing to call it when they see it -- and do something about it.
Your goal needs to be visibility. Create IT and security visibility across the business. This means getting involved more with other areas of the business outside of IT. This also means building your credibility through trust and being a person of value to the business.
More about enterprise IT security:
Enterprises still face age-old vulnerabilities, attack techniques
What do CISOs worry about most?
Study finds firms failing at mobile application development security
One of the best things you can do is to establish some allies -- some fans -- in the organization outside of IT. This might be someone in finance, HR or legal. What you need is someone who gets IT but also has the ear of other executives. If you don't have a security or IT governance committee, then form one. It's one of the best things you can do to generate support of the enterprise IT security function. Just don't go at it alone.
I'm not attempting create a blanket stereotype across the IT field. A lot of CIOs get it. I just think that there's so much at stake (money, prestige and other self-esteem-building perks) at this level in one's IT career that many CIOs are going to do what it takes to defend their turf.
They're certainly not going to let this security thing make them look bad. What's interesting is that I'm starting to see this very behavior and approach to security among chief information security officers -- especially at larger organizations. There needs to be some oversight and accountability.
As an IT professional, you can help push enterprise IT security forward even if your CIO is getting in the way. And you won't have to circumvent his or her authority in the process. Just remember: People are perfectly selfish. We're always going to do things for a reason. Get more people on board with IT and security, and you'll start to see some positive changes.
About the author
Kevin Beaver has worked for himself for over 10 years as an information security consultant, expert witness, and professional speaker with Atlanta-based Principle Logic. With over 23 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around information risk management. He has authored or co-authored 10 books on information security, including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Reach him through his blog or on Twitter at @kevinbeaver.
This was first published in November 2012