Invest in the CIO, before the CISO

I’ve written before about how IT delivery is a crucial limiting factor for cybersecurity outcomes and on how cyber hygiene is mostly not in the security teams control. I’ve come to realise that I also don’t think that IT delivery quality is in the IT teams control either.

I recently re-read “A seat at the table” by Mark Schwartz. I was struck by the description of the transactional relationship between the CIO and the board. He describes a relationship where the lack of comprehension of the nature and value of IT by other execs and board members has relegated the relationship to one of a service provider with time and cost being the key measures. The author relates this to the CIO’s constant struggle to earn their ‘seat at the table’ at the board as they are judged not on value generated but their ability estimate and deliver an area which is notoriously unlikely to estimate reliably.

Firstly, this difficulty in communicating a key specialist discipline to non-specialist leadership, leading to a diminishing of perceived value sounds precisely like the challenge I continuously hear from CISOs.

Secondly, it places the delivery of technical quality, with its consequent impact on cyber hygiene, in a broader context. CIOs and their teams are treated and managed like service providers; they agree to financial costs and delivery targets and are measured by these. Rarely, are they judged by the quality of what they deliver as long as it meets the cost and time targets. As such the high-quality end of IT delivery which includes;

  • knowing how many devices you manage, 
  • knowing what version of what software is running where 
  • knowing who has access to what data, 
  • maintaining systems in support and,
  •  retiring systems that are out of support.

These are delivered just well enough to work but not generally very well. This level of IT delivery dramatically impacts on the cyber hygiene essentials which are commonly agreed to include;

  • IT Maintenance (patching, replacing end-of-life platforms, inventories, baseline builds),
  • Network security (internal segmentation),
  • Access Management (efficient joiners, movers, leavers processes, privileged user management)
  • Security Monitoring (effective visibility),
  • Incident Response (tested plans, exercised staff)

CISOs are held to account for these, we then point the finger at the CTOs and CIOs for delivery failures without realising that the IT delivery teams are doing what they have been asked for, just enough to get the delivery done to cost and on time.

Failures in cyber hygiene are highlighted at Audit Committees and in regulatory reviews by supervisors (Such as CBEST). Still, the root cause is unlikely to be that security has failed to deliver or even that the technology teams have failed to deliver. What has failed is the governance and culture of a business that treats technology as a cost-driven service provider rather than the creator and maintainer of the core value engines of many modern businesses. 

A failure to deliver cyber hygiene is the responsibility of the CEO.

It is the CEO’s responsibility it is to ensure that the right governance and culture exists. Regulators and Boards who are unhappy with the state of cyber hygiene need to raise their focus from the metrics and start looking at the culture at the top of the business.

This is not inevitable, I have been working with tech-first scale-up health and finance businesses recently and I see a different dynamic. The CEOs are either technical themselves or recognise that their product delivery is intrinsically linked to their technology delivery and value it appropriately. I find technology teams that still have the budget and resource constraints but are much more focused on the quality of their delivery, open to adopting new approaches or requirements they recognise that make their systems better.

It is refreshing and in stark contrast to the same sort of teams in large businesses that are focused on surviving the next round of efficiency savings. Having taken one of these businesses through Cyber Essentials Plus I noted how tough the audit was and hard it would have been for a large enterprise to get through without the typical audit-gaming that goes on. I think that Audit Committees and Regulatory Supervisors should have no hesitation asking for Cyber Essentials Plus for a large enterprise but without a cultural shift, they also shouldn’t be surprised they are not able to achieve it.