As organizations grow, functions that started as one person’s job get split across multiple organizational units and multiple executives, often without thoughtful planning. Specialization enables experts to dig deep into each job but creates several problems:
- A lack of a single accountable executive (or worse, having multiple executives, each of whom manages part of the process) leads to uncoordinated decisions. These distort organizational focus, leading to over-investment in some functions and neglect of other functions that are equally or even more critical;
- Organizational separation among functions—i.e., silos—allows gaps between the functions. These gaps lead to delays and mistakes that hurt productivity; worse, they can be exploited by attackers seeking entry into corporate networks and systems.
Whose responsibility is it when dangerous confusion creeps into an organization? When talking about cybersecurity, it’s up to the CEO and board of directors to create and maintain accountability, consistency, and oversight.
Here are two jargon-free steps you can take to mitigate the risks of ‘organizational sprawl’:
- Clarify and communicate executive accountability. Be sure one (and only one) C-suite executive owns the organization’s cybersecurity risk/reward decisions and that everyone understands who that is. This executive must be within the C-suite for two reasons. They must understand the CEO’s business objectives1 and risk tolerance and be comfortable working with the board on risk issues. Also, they must have organizational clout to make and enforce decisions—and sometimes go toe-to-toe with the CEO.
This is usually the CIO or CISO (I’ll leave the discussion about whether the CISO should report to the CIO or a peer for later). What I’ve seen work well at decentralized or heavily regulated organizations is appointing a chief risk officer to oversee all risk classes including: cybersecurity; physical security; compliance; insurance; audit; and legal. This executive considers all risks and has the resources to develop coordinated plans and responses as new risks develop.
- Create (and maintain!) an overarching risk architecture that addresses:
- risk mitigation2 strategies, tool categories3, and processes;
- risk oversight/audit/governance.
Architecture, to be helpful without impeding progress, is high-level and somewhat abstract. It serves as a decision-making guide for the diverse individuals, likely spread across multiple departments and locations, who are charged with implementing and operating security functions. It does this by clarifying the organization’s thinking on major topics. An architectural principle might be, “Our aim is Zero Trust Network Access (ZTNA).”
Creating and maintaining a coordinated design for tools and processes minimizes gaps when horizontal processes are spread across multiple silos.
As CEO, president, or perhaps COO, you see across the entire organization and ensure that everyone pulls together with minimal overlap and no cybersecurity gaps. As a board director, you need comfort that risk is adequately addressed. An executive focus on accountability + architecture helps achieve both goals.
About the author:
Wayne Sadin has had a 30-year IT career spanning logistics, financial services, energy, healthcare, manufacturing, direct-response marketing, construction, consulting, and technology. He’s been CIO, CTO, CDO, advisor to CEOs/Boards, Angel Investor, and Independent Director at firms ranging from start-ups to multinationals. Contact Wayne at email@example.com, on Twitter at www.twitter.com/waynesadin, and at LinkedIn at www.linkedin.com/in/waynesadin
This post is brought to you by Tanium and CIO Marketing Services. The views and opinions expressed herein are those of the author and do not necessarily represent the views and opinions of Tanium.
1 “Perspective is worth 40 IQ points”
2 Mitigation includes Prevention, Detection, Defense, Restoration
3 Not specific products, because they may change