CISOs and other IT leaders might be able to stay siloed in their work, but the CIO has no such luxury, argues Lance Hayden, VP and chief information security strategist at Vericast, based in San Antonio, Texas.
Hayden spoke with StrategicCIO360 about how the CIO role is changing, what it’s crucial to stay on top of and how small problems can quickly snowball.
What is the CIO’s role in handling the intersection of security and data privacy?
CIOs have a holistic responsibility over information and data, as their title implies. Security, privacy and governance are all aspects and outcomes of our use of information as an enterprise asset. These can be distinct specialties, with their own professionals, processes and tools.
It’s possible in a large organization for the CISO and the chief privacy officer to each enjoy a relatively siloed career, collaborating or even interacting only intermittently. But a CIO’s role spans these and more, operating at the intersection of data and how it is processed and used. A CIO owns information, how it is obtained, processed and protected. Not only internally within the enterprise, but also how it is driven externally as information and data management by regulation, privacy laws and industry best practices.
We’re entering an era where data governance, information security and privacy are increasingly intermingled. You can’t optimize or protect something you don’t understand. As organizations collect and create more information every year—indeed, every second—and as the totality of the internet itself is incorporated into everyday applications, this is an enormous challenge.
A CIO must think well in advance about what information and data assets they will utilize. Information is the fuel of a data-centric enterprise. Like many fuels, it’s dangerous when not properly controlled. Some data, like personal information, is highly regulated. Some threats to information, like ransomware, can quickly bring the organization to a halt. A CIO must weigh these risks and requirements, all the while ensuring that the engine keeps running.
How are these intermingling concepts affecting different industries?
If anything, the intermingling of information security and data privacy is driving higher standards across all industries. Gone are the days where some industries like banking or healthcare are thought of as “more sensitive” than others like advertising or retail. Across the board, we are seeing increasing demand for both security and privacy.
Some demand is driven by consumers and people who worry about how their personal data is managed. In other cases, the realization that information creates powerful competitive advantages means even mundane corporate data holds the keys to efficiency, growth and profit. Organizations that don’t master their information strategies risk falling behind, either by losing trust and brand value among their customers or by simply failing to use or protect their own information assets to create and maintain competitive advantage.
Emerging technologies, including artificial intelligence, can help organizations facilitate more secure and transparent data collection and usage, as well as develop more effective targeting and personalization models based on context—all while keeping consumer data anonymized.
How can CIOs go about establishing recurring security hygiene?
Most importantly, CIOs must keep in mind the adage security is a process, not a product. Effective, continuous information security results from an organizational culture that values protecting data as an important end unto itself.
From responsible sourcing of data assets through to compliance with applicable legal and regulatory requirements in data products, security must be top of mind throughout the information value chain. From developers to sales teams to the board, everyone must care about protecting data and hold themselves accountable for the effectiveness of information security.
Security that is culturally embedded within the organization is always more effective than security that is externally imposed or bolted on after the fact. The CIO is positioned to be a powerful champion of security culture, since so much of the information infrastructure lies within their areas of influence.
Whether working with data engineers to implement data governance controls such as clean rooms and anonymization techniques, championing secure development processes and effective DevSecOps among software engineers, or driving company-wide security awareness campaigns to protect against phishing or other threats, a security conscious CIO can have a tremendous impact on enterprise security posture.
What are some things that CIOs can relay to their teams around preventing potential cybersecurity vulnerabilities before they happen?
Very few failures happen spontaneously and without warning, especially in complex systems like computer networks or corporations. Usually, they result from small problems growing into big ones over time, until finally something gives. And they almost always show signs of stress before failing completely.
CIOs must develop and deploy broad detection networks to sense problems as early as possible. Lots of technologies are designed to do this, and they drive many security operations centers. But people have always been the best sensor. People know when something isn’t working right, or when a process begins to degrade, often long before any technical evidence is available. But too often, for many reasons, people don’t feel comfortable calling out what’s going wrong.
CIOs should encourage failure reporting. Cultures that prize success at all costs, where “failure is not an option” only increase the likelihood that failure, when it comes, will be big, if only because it will have become impossible to hide anymore. Successful CIOs understand that failure is a sign of learning and growth but must be reported and corrected while those failures are still small and manageable.
Individuals and teams should be encouraged to report problems and concerns. Everyone in the organization, not only the IT or security teams, are responsible for security. They should be given the knowledge and skills to protect themselves and to report potential security concerns.
This can be as simple as training users to forward suspicious emails before clicking a link; or working with them to effectively manage hybrid and remote work arrangements where personal and corporate technologies may be used side-by-side, or even on the same device.
Today it can be very valuable for a company to help their employees understand how to protect their families’ digital lives, both as a motivation and because these same skills will end up protecting the company as well.