Cybersecurity

Why This Cybersecurity CEO Says The CISO Has To Go


Sevco Security CEO J.J. Guy has had a long career in cybersecurity, and he says that the current organizational structure with both a CIO and CISO sets companies up for failure. Streamlining both IT operations and security under one department is the best way to combat today’s security threats, he told me.

This excerpt from our conversation has been edited for length, clarity and continuity. An excerpt appeared in the Forbes CIO newsletter.

What do you see as the biggest issue in the way companies handle cybersecurity?

Guy: Twenty years ago, we started the process of splitting security out into a separate organization. At the time, we were thinking of it as an independent audit activity on top of IT, where it keeps the independence of security. About 10 years ago, we elevated security leaders to the CISO to give them more visibility and recognize the increased importance of security to overall corporate influence. We also started investing a lot into security. Security teams as a whole have gained a lot of discipline over the course of the 10 years since then.

Most of that spending happened—to use the NIST Cybersecurity Framework as a backdrop—[in] the processes of protection, detection and response, because accountability and responsibility were aligned. The identify [process] at the beginning of that didn’t see a lot of investment because IT owned it. You had all this organizational inertia, and it’s difficult to do anything because that’s a different part of the org. You see Conway’s Law coming into play here, as well as the misalignment of responsibility accountability.

Now, where our world is today, we’re starting to reach the point of diminishing returns on continued investment in security. The same kind of investments are not going to see the same level of increases in security programs because we built on top of a weak foundation. We’re to the point where security has to depend on IT to improve their identification. CISOs, for example, are accountable for the security of every single device on the enterprise network, but who’s responsible for giving them the list of those devices? IT, and IT does not have an accurate inventory of all the devices that the organization owns. It is an incredibly difficult position for any CISO out there because they are accountable for a list of assets that they don’t even know what they are. They don’t have the tools, resources, responsibility and organizational alignment to do so. Their colleagues over in IT do, but as they go over to IT and ask for it, they get nothing but big blank stares.

Bringing that back to vulnerabilities, the CISO is responsible for ensuring that all the most critical vulnerabilities across an organization are fixed, but it is IT that owns the remediation of those vulnerabilities. And in many organizations, the remediation doesn’t work, or it’s not working effectively, or it’s not efficient. There’s all sorts of challenges associated with it in the execution of the operations. What normally works out is the IT team says, ‘Hey listen, we’ve got a service desk. They’re working as fast as they can. Those guys are working hard. You just give us a list of the most important vulnerabilities, Mr. CISO, and we will put them in the queue and work those tickets as quickly as we can.’

You know what happens? The backlog of vulnerabilities grows and grows, and suddenly we’re having to talk about, ‘I need more technology to prioritize vulnerabilities.’ No, you don’t. You need to go fix your remediation problems. But that’s IT’s responsibility, it’s not the CISO’s. And CISO can’t tell the CIO, ‘Hey guys, you’re screwing it up and you’ve got issues over here,’ because you have this whole organizational challenge between the accountability and responsibility. Nobody is saying, ‘Let’s go dig in and find the root cause.’

How do you bridge that gap, and what do you recommend an organization do?

At a macro level, the conversation that needs to be unfolding is back to how should our orgs be structured. Long term, what we’re doing with this disconnect between accountability and responsibility is not sustainable.

I’m not going to claim to have the answers to this. These are big, complicated things I’ve seen a lot over the course of my career. But this has got to be driven by critical mass of stakeholders.

The CISO’s job has become two separate things. Years ago, when we decided to split security out into a separate org—we called it an independent audit function—that was based on the idea of risk management, in which IT still owned all the operational aspects.

Ten years ago, as we started to recognize security was not the sort of thing that you could outsource to a vendor—it was not a process to execute, it was an operation to own and manage on a day-to-day basis—CISOs and security teams started to take on more and more of an operational responsibility.

Now we’re to the point where continued improvement and operational responsibility within the scope of what we define as the CISO’s realm of responsibility is not enough. We need to get rid of the CISO title. If IT teams had taken responsibility for security back 10 years ago, 15 years ago, equivalent with the level of attention needed, then we never would have needed to promote the CISO to a role in and of itself. We did, and that was the appropriate decision at the time, but now we’re coming to deal with the implications of that decision.

We could get rid of the CISO title all together and have the CIO be accountable for security just like the CISO is today. Then you’ve aligned responsibility and accountability under one overall operational leader. That’s going to run into all sorts of cultural challenges. Your typical IT leader is measured on metrics such as availability, efficiency, customer service. You want to keep the systems up, close the tickets as fast as you can and keep the cost down. That’s how an IT org functions. The world of a security leader is very different. They’re evaluated on different metrics, things like I need an accurate source of data. It’s more aligned with a financial system. Can you imagine ever trying to run the finances when you don’t even have a chart of accounts to be able to properly classify transactions into a category? That’s how we’re running our IT networks?

For those who getting rid of the CISO title altogether is a little too much, [the thing to do] would be to expand the CISO’s scope to include ownership for all the operational infrastructure—not just security infrastructure—and then let them make decisions about what to do in the trade-offs between availability and security. This to me makes perfect sense.

I cut my teeth in this business back in the Air Force in the early 2000s. We were getting hit by what we now call targeted attackers, advanced persistent threat in the late ‘90s, before commercial business started to have to deal with those kinds of challenges. What we never did was split security and IT under separate leaders. The day-to-day operations of running the network was one leader, which gives him the ability to make risk trade-offs. And would he sacrifice availability, take down the network in order to mitigate a security challenge? Absolutely, if the risk presented by that security challenge was sufficient to be able to justify, and he knew that the mission could still continue if the availability was negatively impacted. That kind of decision process we can’t make today in your typical commercial infrastructure because those are two separate leaders.

You’d mentioned this would be a huge cultural change. How would an organization reorient itself? Do you see broadening what everybody on IT does? How would you get there?

I’ve seen pockets of this happening in different companies and customers. I’m not the only guy who recognizes this. There are early stages of companies recognizing these kinds of challenges, so it’s probably a good time to go amplify this message. I have seen CISOs getting promoted to the CIO role. Their operational mindset, they’re managing and redistributing that they own security. [In some companies,] the CISO reports to the CIO, and then he works slowly over time redistributing the responsibility between his various departments internally, and helping shift the mindset of the legacy IT thinkers into more of an operational one.

I’ve also seen where the CISO has become the chief infrastructure and security officer. You still have a CIO of the same pedigree, and the CISO still reports to the CIO. IT operations and network operations—the core infrastructure that owns all the computing pieces, all the firewalls, proxies, and then the computing devices on the network—are all owned by the CISOs org, or the infrastructure and security officer, in addition to his existing responsibilities. Over here on the IT side, you’re left with help desk, service desk, enterprise applications. That ends up becoming the applications built on top of the computing fabric, your customer-facing part of the organization. That would be the ‘expanding the CISO’s scope to include all of infrastructure’ approach.

There are major security risks out there that companies face, like malware, ransomware, phishing hacks. What is the bigger threat? The issues with the organizational structures, or these bad actors?

The solutions and activities necessary to counter those threats are the same as any other security issue. And 100%, organizations would be much better positioned by first cleaning up their organizational challenges before trying to go attack those things directly. Those things are the threat of the day, and they’re going to ebb and flow over time. The challenges in responding to them and mitigating the risks associated with them are the same as everything else I’m describing. Where would I start with responding to phishing attacks? Organization? It’s always an org problem. These are not technology problems. They are org problems.

What do you see in terms of company structures in five years? Will the split between CISO and CIO be as common?

I would like to think that five years from now, we’re not having this kind of conversation, or perhaps conversations about what’s the appropriate org are at their peak, and we’re in the midst culturally as an industry of recognizing it’s a conversation we should be having, and trying to figure out what the answers are. The pressures to do so are only going to become more important.

The world is getting more complex. Attack services continue to grow. Complexity is increasing. Enterprise networks used to be this kind of nice, clean, relatively segmented element. Those are continuing to degrade and the world’s becoming more diffuse. Enterprise computing infrastructure is becoming more diffuse, it is harder and harder to manage.

We’re going to continue to get better and better technology to help improve that and manage that and simplify it, but there’s going to be new stuff. We’ve now got the rise of generative AI and all the changes that’s going to bring to enterprise computing, and all the new risks associated with it. The efficiency and efficacy of our org charts are going to continue to come under pressure, and that point of diminishing returns that we are already at today is only going to become more and more challenging.

What kind of advice would you give to a CIO or CISO who is thinking along the same lines that you are, but is not quite sure where to begin to bring things under one organization?

Get out of the day-to-day technology that we all deal with, that preoccupies us. Sit down and draw the org chart. Build a RACI model. For any one of the core activities that are top level, understand where those cross departmental lines, and then zero in on those. Have an honest conversation with your colleagues. Let’s not be constrained by the old way of thinking and the way it’s always been done, because clearly the way it’s always been done didn’t work very well for us. We all know disparity in accountability and responsibility leads to problems, and we all know that the security programs we have today aren’t going to continue to scale. We’re not there yet. Put those things together and identify some of the root challenges of an org and a team structure that makes it faster, more efficient, simpler, more effective, and start the conversation.



Source

Related Articles

Back to top button