In most of my security assessment projects, I work with CIOs in varying capacities. These CIOs will often be the project sponsors, but they mostly serve as the liaison to executive management.
Interestingly enough, I see a lot of CIOs who are mostly disconnected from the enterprise IT security assessment process. I'll even go so far as to say that a certain number of CIOs see security as a threat to their careers.
If enterprise security is to be effective for the long haul, the role of the CIO has to be 'all in' on what's going on with security.
But according to recent studies, security is a growing concern for CIOs. Looking at the 2013 TechTarget annual IT Priorities Survey, 56% of respondents said data protection was their top priority. CIO magazine's 2013 State of the CIO Survey had similar findings. It found 70% of IT executives believed increasing threats around enterprise security will have an adverse impact on their organizations. And for this year, respondents to the National Association of State Chief Information Officers State CIO Priorities survey for 2014 said security was their top concern.
These survey results suggest that I'm seeing and hearing two different things. On one hand, there appears to be an arm's-length relationship between CIOs and security. But at the same time, studies show that security is front and center on the minds of many CIOs.
Based on my observations, there's little correlation between enterprise IT security and the size of the business or the industry in which it operates. But one thing is for sure: It doesn't matter if you're a CIO or you work for one and are partly responsible for minimizing information breach risks. If enterprise IT security is to be effective for the long haul, the role of the CIO has to be "all in" on what's going on with security.
To paraphrase Pat Riley, basketball coach and team owner, you're either in or you're out when it comes to commitment, because life in-between doesn't exist. This is especially true for what's happening with security assessments. These security assessments are the gauge -- the true indicator -- of where things actually stand regarding information breach risk.
Although some say life is good for CIOs, I still don't envy them. The CIO role is one that involves politics, numbers and maintaining a balance between management and workers to keep as many people as possible happy. It's also about corralling and keeping hard-headed IT professionals like me focused on the issues that matter. It may not be obvious to others outside of IT, but one thing is certain: The role of the CIO and the success of enterprise IT security are core elements that will make or break any organization.
Security is obviously a business issue that needs to be addressed at the highest levels. It doesn't matter which side of the equation you're on. Do what it takes to ensure CIOs and their team members have the resources they need to minimize the risk of information breaches. If that doesn't happen, the harsh realities will eventually surface.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.
This was first published in January 2014