Published on December 22nd, 2022 📆 | 2853 Views ⚑
0Corporate Tech Leaders Untangle Their Cybersecurity Roles
Information technology and cybersecurity chiefs grew closer than ever in 2022, a dynamic allowing for more comprehensive threat mitigation, but raising new questions over responsibilities.
Many executives now say that as their roles around cyber appear to converge, they are working to sort out the dividing lines between their shared security and IT responsibilities.
A few years ago, if organizations were hit with a ransomware attack, the chief information officer âwould come runningâ to the chief information security officer for help in dealing with the aftermath, said
Lena Smart,
the CISO of database service provider
MongoDB Inc.
Now, Ms. Smart said her security department works with CIO
Mindy Lieberman
to get ahead of ransomware attacks. About 50% of the companyâs threat planning simulations, in which IT plays an active role, involve ransomware scenarios, according to Ms. Smart.
Across organizations worldwide, CIOs and CISOs are redefining their relationships, a shift reflecting both a surge in high-profile cyberattacks, and cybersecurityâs steady rise to the top of CIOsâ prioritiesâthe result of continuing IT modernization, analysts say. In the most common corporate structure, CISOs report to CIOs.
âIt is cybersecurity. âŠThat is the highest priority,â
Chris Howard,
chief of research at technology research and consulting firm
Gartner Inc.,
told The Wall Street Journal earlier this year.
The accelerated adoption of cloud computing and cloud-based software in enterprise technology environments has also made the cloud âthe main target for top-tier attackers,â said Phil Venables, the CISO of
Alphabet Inc.âs
Google Cloud.Â
That, too, has forged closer ties between CIOs and CISOs, as they put greater focus on protecting infrastructure across cloud environments, Mr. Venables said.
The closer ties arenât without tension.
In some cases, CIOs and CISOs have âdifficult conversationsâ about what priority the IT team should give to tasks like software patching and system monitoring, which are crucial for mitigating cyber threats, said
Bonnie Titone,
the CIO of utilities provider Duke Energy Corp. Those tasks can add to the workload of an IT operations team, Ms. Titone said.
The Charlotte, N.C.-based power producer moved cybersecurity under Ms. Titoneâs purview about a year ago, partly in response to cyber threats like the ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline in 2021.
âBeing in a utility, specifically one of the largest, Dukeâs kind of the 800-pound gorilla,â Ms. Titone said. âWe generally have a target on our back.â
Though the CISO reports to her, Ms. Titone said security has âthe biggest bark in the room.â On the other hand, it is âITâs job is to enable the company, or else you canât build tools and rules and components. That stops you from innovating,â she said.
Jim Swanson,
the CIO of healthcare-products company
says although security sits within his priorities and responsibilities, he makes sure the CISO
Marene Allison
âs voice is heard. Ms. Allison is retiring at the end of the year, the company said, and will be succeeded by
Gary Harbison.
âIâve always made sure that it is a prominent function, reports at my leadership team table, itâs not buried in the organization, they have an independent voice,â Mr. Swanson said. âSo when I talk to our board, I talk about our operational data, and my CISO does the presentations.â
At
Adobe Inc.,
the CISO sets corporate cybersecurity policies but works with the IT organization to execute them, said
Cynthia Stoddard,
the companyâs chief information officer. But there is also collaboration between them where âsecurity may set the policy, but my team is raising, âHey have you thought about this?ââ Ms. Stoddard said.
Prasad Ramakrishnan,
the CIO and former CISO of software maker
Freshworks Inc.,
said IT and security have shared roles in evaluating the cybersecurity resiliency of corporate software purchases. And in securing a hybrid work environment, his joint cybersecurity and IT roles included adding a new cybersecurity layer on top of cloud-based software on company laptops.
MongoDBâs Ms. Smart said that she is often collaborating with Ms. Lieberman to secure applications developed by the companyâs software engineers for internal use. âWe have a lot of bespoke tools being a tech company,â she said. âIf we find something and itâs got a critical vulnerability, theyâll fix it immediately. Thatâs the agreement.â
As the demand for corporate security leaders has grownâalong with elevation and visibility of the roleâthere is renewed interest in the dynamics between the CIO and CISO, said
Alex Michaels,
a Gartner adviser who works with IT leaders.
Mr. Michaels recommends that CIOs and CISOs âestablish clear definitions of ownership, accountability as well as roles and responsibilities,â particularly for ransomware and malware attack scenarios.Â
âRegardless of the relationship between the CISO and CIO, it is important to remember that the business owners of information are ultimately accountable for protecting their own information,â he said.
â Isabelle Bousquette contributed to this article.
Write to Belle Lin at belle.lin@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Gloss