Brian Spanswick is Director of Information Security at Cohesion.
Getty
Today, CIOs and CISOs are tasked with many high-priority and often overlapping initiatives, from digital transformation to cloud migration, including hybrid cloud, on-premises and multi-cloud deployments, all of which are critical to enterprise but inherently tied to disaster recovery and other security and risk management imperatives that must be addressed concurrently. And often, these CIOs and CISOs are trying to balance these initiatives and manage risk while facing a significant talent shortage in IT and cybersecurity teams.
So how exactly should CIOs and CISOs work together to ensure they implement the technology initiatives needed to keep their businesses competitive (e.g. moving to the cloud) while ensuring cyber- resilience to ongoing threats, such as ransomware? , and this pervasive talent shortage?
In talking with clients, I’ve discovered that while there’s no one-size-fits-all approach, there are takeaways for organizations looking to balance technology and business needs while mitigating cyber -risks in this fast-paced workplace.
Balancing cloud deployments with security
CIOs and CISOs today view the cloud, whether in private, public, multicloud or hybrid deployments, as one of their organization’s greatest opportunities for digital transformation, but also one of the most great challenges. When moving from on-premises to cloud and then determining a cloud strategy, there are many factors (and even trade-offs) to consider.
Migration to the cloud forces organizations to extend certain security postures beyond what they can directly control. For example, there are considerable variations in cloud providers’ data retention policies that could lead to permanent data loss (eg, due to ransomware) if backups are not properly scheduled. This risk can be mitigated by proper and modern data management and security practices, but it is definitely something that needs to be addressed from the start. A good first step is to strengthen your organization’s own security posture and then ensure that cloud partners meet these requirements; that is, they adhere to the same security policies and standards as internal security control operators.
Additionally, customers cited compliance as another major part of their cloud strategy, especially for those in highly regulated industries like healthcare and finance. For example, healthcare has only recently embraced the public cloud, now that privacy compliance for SOC Type 2 and HITRUST has become possible.
Collaboration between IT and security functions
The growing threat of cyberattacks is causing organizations to rethink and restructure the relationship between IT and cybersecurity, both at the operations level and at the C-level. Most security teams have focused primarily on preventing cyberattacks, while IT teams focused on data protection like backup and recovery. But a comprehensive data security strategy must bring these two worlds together, because any lack of collaboration creates significant business risks and can put organizations at the mercy of bad actors.
For many organizations, this means changes to the C-level reporting structure. For example, while it is still common for a CISO to report to a CIO, more and more CISOs report to the CEO to create separation between IT and cybersecurity and create accountability on both sides. In other cases, like mine at Cohesity, the roles of CIO and CISO are combined based on a preference that one person should be equally and transparently responsible for information systems and cybersecurity.
Regardless of the hierarchical structure, it is clear that technology and security must be integrated at the highest levels of an organization to ensure that critical systems are operated efficiently and securely. More and more teams are working increasingly closely with business leaders to assess technologies and plan initiatives to ensure that business needs are met with agile and secure information systems. . IT, security, and business operations must be aligned and work in tandem to drive IT success.
Manage a small talent pool
While there are many opportunities and priorities for deploying information systems today, none of this would happen without talent, but unfortunately many organizations struggle to hire IT and cybersecurity talent. due to widespread labor shortages. According to recent research from Cohesity, this continued shortage is impacting the ability of IT and security teams to collaborate effectively.
One of the ways organizations are combating this problem is to focus on retaining and reskilling their current workforce. Technology employees are more difficult to recruit due to their high demand and desire for work flexibility, which makes retention and internal development as important a strategic focus as recruiting.
The bottom line is that in today’s challenging landscape, IT and security teams need to be co-owners of cyber resilience outcomes and have a holistic understanding of their organization’s potential attack surface. There’s no one-size-fits-all approach, but encouraging collaboration is essential, and modern data security and management can help close the gaps, improve visibility, and help both departments sleep better. at night knowing they can work together to stay ahead. bad actors.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?
.