Getting IT and security teams on the same page
The intersection between technology and cybersecurity is a critical juncture for any organization. While the IT department is focused on delivering digital services and enhancing customer satisfaction, the security team is responsible for mitigating cyber risk. Unfortunately, these two departments often find themselves at odds, leading to a "frenemy" relationship that can impede progress.
At the heart of this tension lies a fundamental difference in priorities. CIOs are driven by the need for speed and agility to maintain a competitive advantage in the digital landscape. Meanwhile, CISOs and their security teams are focused on identifying and fixing privacy and security risks that arise from the very same digital services that the IT team is so passionate about.
This disconnect can lead to the IT department being seen as reckless and potentially increasing cyber risk in their pursuit of speedy delivery. Conversely, the security team may be perceived as obstructing progress by finding objections and blocking the road to success.
Conflicting goals of IT and security departments
IT teams have the crucial responsibility of staying ahead of the technology curve and maintaining a competitive edge in a rapidly changing digital landscape. According to IDCs, global spending on digital transformation is expected to reach $3.4 trillion by 2026, which means that CIOs face immense pressure to keep their organizations ahead of the curve.
At the same time, cybersecurity has become a top priority for businesses, as the costs of data breaches continue to mount. IBM's recent Cost of Data Breach report estimated that the average cost of a cyber incident worldwide will be approximately $4.35 million.
Both CISOs and CIOs have evolved into influential business leaders, transitioning from technical analysts to revenue generators and innovators. However, as IT and security often find themselves on different sides of the spectrum, this expanded role can lead to challenges as both departments compete for boardroom attention and budgets.
But what if IT and security teams could collaborate and complement each other's strengths instead of being at loggerheads? By working together and pooling their talents, they can create a more secure and agile digital environment, improving the organization's overall resilience and competitiveness.
Getting IT and security aligned
To bridge the gap between IT and security teams, a shift in mindset is needed. IT teams must understand the value of security and recognize that while speed is crucial in developing and deploying applications, it cannot compromise the organization's cyber refences.
At the same time, security teams should view the IT department as a telemetry system for cyber risk, working alongside them to gain insight and feedback on workforce productivity and security needs. However, this cultural shift needs to be driven from the top-down, with CISOs and CIOs taking the lead in fostering communication and collaboration between the two teams. There are various structures or hierarchies that businesses can adopt to ensure harmony, with 40% of CISOs now reporting directly to the CEO, according to a PwC study. Other options include the CISO reporting to the board or the CIO.
Some organizations may benefit from having both the CIO and CISO report directly to the CEO, which can help reduce strain on their professional relationship and put both departments on equal footing. Ultimately, the hierarchy framework should be tailored to align with each organization's security imperatives and business objectives.
What is the reason behind the divide between the teams?
Division often arises when security is perceived as the final step. IT teams may feel that they have put in a lot of effort to produce new software, only for the security team to shoot down their plans and cause delays. Similarly, the security team may feel that they have to intervene and find a solution to protect the critical new architecture from causing significant security issues.
This kind of scenario often intensifies the conflict between both teams. However, this situation can be avoided if the IT and security teams collaborate right from the beginning and go through all the processes together, from application ideation to architecture design, and work together during the final review stages.
This approach ensures that all the necessary due diligence around risk exposure and vulnerability is completed, and security is embedded into the resulting product or project. The DevSecOps approach is a good model, where security is interwoven throughout the development life cycle, rather than being a last-minute barrier.
Acknowledging CISOs as the risk-management leaders
Security has rapidly evolved from being a purely technical concern to blending with organizational risk management. Cyber risk now spans every element of the organization and must be treated as a strategic business function. As a result, the role of the Chief Information Security Officer (CISO) has drastically changed, and they must evolve to meet the expectations of this new reality.
Today, CISOs must operate as central leaders in combating threats across the business. This highlights the need for them to sit at the table and work alongside their CIO counterparts. Only then can the IT and security teams end their quarrel and navigate the uncharted digital waters ahead of them.