Cyber Security And The CIO: Changing The Conversation

Cyber Security And The CIO: Changing The Conversation

Do CIOs have an inherent conflict of interest when it comes to security? What should be their InfoSec involvement?

Who in the enterprise should take the lead on cyber-security issues? And what role should the CIO play? These were the two main questions with which speakers wrestled during the MIT Sloan CIO Symposium, held in May on the school’s campus in Cambridge, Mass.

During a session titled Cybersecurity: New Approaches to Assessing and Maximizing Your Protection, a panel of information security executives agreed that CISOs and their ilk are key players on the cyber-security battlefront.

Indeed, the importance of the role of CISO is well documented. According to the Ponemon Institute’s 2014 Cost of Data Breach Study, one of eight factors having an impact on the cost of an enterprise’s data breach is whether the CISO (or executive with a similar title and role) “has overall responsibility for enterprise data protection” and leads the incident response team. When this is the case, the per capita cost of a data breach is reduced — on average — by $10. (To help put that in perspective: The average per-capita cost of an enterprise data breach in 2014 was $201.)

[ Suffering from insomnia? Don’t read Why Kasperky’s Bank Robbery Report Should Scare Us All. ]

But, what should the link be between the CISO and the CIO? And, where does the CIO fit into the enterprise information security structure? In an informal poll during the session, the majority of audience members indicated by a show of hands their belief that enterprise security activity — and, along with it, the CISO — should fall under the CIO’s purview. The panelists contested that notion.

“It’s definitely a conflict of interest to have a security officer under [the CIO],” said panelist George Wrenn, VP and cyber security officer at Schneider Electric, because the performance of the CIO (who typically controls the CISO’s budget) is often measured under interests that compete with good cyber-security practices. Instead, Wrenn said, the CISO should answer to a “non-technical role in the company.”

Considerations of ethics and conflicts of interest can be paramount when it comes to making good security decisions — as panelists demonstrated by drawing parallels to the 1986 Space Shuttle Challenger disaster. Investigators of that incident determined that safety issues received an undue lack of concern, as levels of “acceptable risk” were expanded in a culture where production was paramount and communication was flawed.

“[NASA] had to have X number of launches a year to justify the program financially,” said Wrenn, alluding to what can happen when politics and budgets take precedence in security decisions.

At the same time, however, a big part of information security lies in managing levels of acceptable risk
Read full article>>