by Kenneth Corbin

CIOs seek cybersecurity solutions, bigger voice in C-suite

News Analysis
Jun 26, 2015
CIOCybercrimeIT Leadership

Tech chiefs come together to sift through security issues, ranging from cybersecurity to budgets to CISO roles.

Credit: Thinkstock

Issues like cybersecurity might keep CIOs up at night, but in Northern New Jersey, at least they know they’re not alone.

Mark Sander co-founded the North Jersey CIO Roundtable under the aegis of that state’s chapter of the Society for Information Management, aiming to bring together tech leaders in a series of meet-ups pegged around issues like security and the role of the CIO in the C-suite.

“There’s a great exchange of information,” Sander says of the meetings.

“It’s lonely as the CIO,” he adds. “It’s nice to talk to your peers and learn from them.”

Sander explains that he initiated the roundtable sessions in a bid to engage CIOs from larger firms in the region just outside New York City, offering a venue free from the distractions that too often arise at industry events billed as networking opportunities.

“Some of the reason these big CIOs don’t come to general meetings is they don’t want to be attacked by every manager and director looking for a job,” he says.

Earlier this month, Sander convened a roundtable to focus on security issues, arranging for guest speakers from the FBI and a prosecutor with the U.S. Attorney’s office in New Jersey specializing in cybercrimes.

With no cameras rolling, those officials offered a frank assessment of the challenges stemming from the mounting cyberthreats, which Sander places in two broad categories: those from hackers motivated by a political cause and those seeking financial gain.

Those groupings are of course filled with considerable nuance, but in broad strokes firms are very much struggling to fortify themselves against cyberthreats.

CIOs and CISOs need broader reach in organization to battle cyberthreats

Part of the challenge is organizational, Sander argues. He believes that a firm’s top security official needs a broader reach than is typically afforded within the tech division. Better than reporting directly to the CIO, he says, the CISO would be accountable to the internal audit unit or audit committee, or, potentially, even the CEO.

Many CIOs at the roundtable disagreed, arguing that the CISO should remain within IT, Sander admits. But while he doesn’t discount the nexus between security and tech, he contends that security must be an enterprise-wide priority.

“For a CISO to be impactful today, they’re going to have to influence things outside IT,” he says. “Security’s going beyond just passwords, firewalls and all the techy stuff.”

Though passwords might be a sensible place to start. Sander, who has held CIO and senior tech positions at a variety of firms, talks of the lax cyber hygiene in many enterprises — where employees’ passwords might be found scrawled on notes under the desk blotter or on Post-Its stuck to the monitor.

“The best thing we can do to help law enforcement is to not make it so easy — kind of like not locking your front door and expecting law enforcement to come and help you. Most companies aren’t locking their front and back doors,” he says.

Better education, training and security budgets needed

Ongoing education and training can go a long way toward addressing those issues, and two-factor authentication can certainly be a helpful measure, according to Sander. But CIOs and CISOs routinely struggle with budget restrictions. In an exit poll at the CIO roundtable, participants said that the portion of their IT budget allocated to security ranges from 1 percent to 10 percent.

The 19 CIOs and CISOs who attended that meeting make for an admittedly small sample size, but the concern about tight funding that they expressed is common across the business sector, Sander says. He suggests that CIOs and CISOs can help their cause and elevate security as a business priority by making their case to the board of directors, who can then lean on the executive leadership to allocate more resources to tighten up security within the organization.

But CIOs bear some blame on the security front when it comes to dealing with third-party vendors, Sander argues. If a chain is only as strong as its weakest link, enterprises need to give closer consideration to the firms they partner with and offer access to their systems. The high-profile Target breach, after all, came after hackers infiltrated an HVAC vendor that was contracted by the retail giant.

“My experience is this isn’t even on the menu. They don’t even look at this,” Sander says. “I don’t believe the IT industry and CIOs are doing enough when they do this outsourcing.”