Organization – The Overlooked Security Control
By Ben Ferris, Cybersecurity Manager, Newport News Shipbuilding, A Division of HII
A few years ago, a well-known university, which does extensive R&D for the U.S. Government, experienced a public breach in their College of Engineering. The breach included unclassified sensitive government information that resulted in an audit by the Defense Contract Audit Agency (DCAA). Most of the resulting recommendations from DCAA were based on deficiencies related to applicable NIST standards. There were, however, two significant recommendations not specified within NIST. The first was that all IT employees and organizations report to the CIO; the second, the CISO should not report to the CIO. This brings to light two situations not uncommon in larger organizations, shadow IT and conflict of interests in the IT / cyber organizational structure.
Shadow IT is generally known as IT processes, systems, software, etc., that are outside the scope and often the awareness of the larger, company IT department. Shadow IT is often the result of perceived cumbersome processes, procedures, or other shortcomings of the larger IT organization. While the instigators of the shadow IT may get the immediate results they are looking for, it tends to circumvent security, budget, and compliance in the larger picture. Having a group create the shadow IT is very understandable. Think about how easy it is to set up a cloud collaboration area where you can share data with stakeholders inside and outside the company – it takes mere minutes and, in many cases, can be free of charge. Compare that to what it takes to work through the company’s IT department to accomplish the same outcome. Nowadays, it is difficult enough to maintain control of sensitive company information and keep the IT environment secure; shadow IT can potentially add significantly to this risk. Think of the risk associated with an employee downloading a shared document from that free environment that contains a nefarious payload. This is a simplistic example, but I think you probably get my point.
I was recently at a conference who’s keynote speaker was a government cybersecurity official. He described a sole-sourced contract for some hardware that had a very short suspense date. The contract was awarded to a large contractor who had more than enough credentials, experience, and capability to deliver the product and it, subsequently, was. However, the product turned out to have significant security flaws. Upon further investigation, it was determined that the organization within the company responsible for the development and delivery of the product used shadow IT, unbeknownst to company executives. The government official did not elaborate on the impact on the company or the group responsible. However, one can imagine that reputation and bottom line were negatively impacted.
This leads me to the next DCAA recommendation, moving the CISO out of the CIO organization. It is understandable why many CISO’s reports to CIO’s. It is all IT, right? This is true, but there is an inherent conflict of interest with this reporting structure. CIO’s are focused on user experience, providing the best services, tools and resources at the lowest cost to the organization. CIO’s tend to chase the latest and greatest technology, which is certainly understandable; it’s their job. Security, not so much. Do a quick scan of the latest articles on Artificial Intelligence, Cloud, Digital Transformation, Blockchain, and Medical within CXOTECH Magazine and see how often “security’ is mentioned. I can tell you will not see it in those sections very often; only in the “Security” section.
The CISO, on the other hand, is focused on protecting the data, the systems it is on, and, ultimately, the reputation of the company. This focus is inherently at odds with the CIOs focus. Yet, many larger organizations have the CISO reporting to the CIO. I have seen, first hand, where large, costly efforts that started out as a cybersecurity effort morph into an IT effort at the expanse of cybersecurity, driven by, you guessed it, the CIO. Now, it could be that I am misinterpreting what I see and read. Perhaps security is foundational to AI, Cloud, Digital Transformation, etc., and it is explicitly understood that all of these rely on sound and fully developed cybersecurity programs; maybe, but I do not think so.
In my opinion, it boils down to two things. First, how well do the Board of Directors and company executives understand cybersecurity and associated risks in general and within the company (they should be talking to the CISO, not the CIO). Second, what is the company’s risk appetite when it comes to cybersecurity? Sure this is probably a simplistic view of a complicated issue given all of the regulations, statutes, best practices, CISO Burnout, Board of Director Cybersecurity Committees, etc., that deal with cybersecurity and risk now; I mean, a plethora of books have been written on this. However, if you get these two things right, at the end of the day, you make DCAA happy and probably your shareholders.