Aligning the Priorities of IT and Cybersecurity Teams
Relationships are tricky. Whether you’re talking about families, workplaces, politics, sports teams or anywhere people have to collaborate, building mutually supportive and respectful relationships takes work.
I’d bet it’s the same way in your organization with IT professionals and those charged with cybersecurity oversight. Like husbands and wives, athletes and coaches, the dedicated and resourceful men and women in your IT and security teams have to foster an atmosphere of understanding and mutual support.
Or else, you’ll have a huge mess to clean up.
Why? In my experience, it boils down to some fundamental differences in the way that IT and security professionals see their jobs—and the way their bosses, the CIO and the CISO—establish departmental goals.
As a CISO, I certainly have my own perspective on the differing priorities of IT and cybersecurity groups. But I’m not unaware of the challenges that IT faces. Before I became a CISO, I spent many years working in IT and know first-hand what IT departments grapple with.
Simply put, IT departments tend to build their teams, processes, budgets and priorities around ensuring service delivery. Cybersecurity departments, by contrast, see the world through the lens of risk mitigation, risk management and cybersecurity oversight. And while these two priorities may not be innately at odds with each other, there is enough of a gap to create inefficiencies at least, and outright problems at worst, if not acknowledged and addressed.
If that sounds suspiciously like the title of a popular book from the 1990s—“Men Are From Mars, Women Are From Venus”—well, there’s a reason why. Like men and women, IT and cybersecurity folks see things differently.
Undoubtedly, both service delivery and risk mitigation are essential to any organization’s ability to accomplish its business objectives and thrive. Cybersecurity folks will struggle to protect data and identities if the underlying computing foundation—infrastructure and applications—are not of sufficient quality, integrity and performance to support and even drive a modernized cybersecurity framework. And IT departments can focus all they want on service delivery, but it won’t mean anything if digital assets from the data center to the edge to the cloud are not secured. Service-level agreements mean nothing when your customer data is stolen and your employees’ identities and privileges are compromised.
So, should your organization be committed first and foremost to IT service delivery, or to cybersecurity oversight and risk mitigation? OK, it’s a rhetorical question. You obviously need both.
But there are times when pushing hard and fast to deliver new applications or support pilot programs like IoT comes into conflict with risk mitigation/risk management. Now, conflict in the relationship between IT and cybersecurity, just like any personal or professional relationship, can always be worked out if the parties recognize the sources of the conflict, keep the big picture in mind and are willing to compromise.
But there’s a catch. Specifically, there are still many organizations where a legacy mindsight has rooted itself and is nearly impossible to eradicate. I’ve seen and heard of too many examples where IT departments remain focused on things like help desks, managing legacy code, and manually tuning enterprise applications like ERP. Those kinds of IT functions have increasingly become viewed as commodities, leading to increased instances of outsourcing, managed services and, in some cases, complete overhauls of legacy IT.
Instead, it’s important for IT departments to take a modernized view of their roles, especially in how they align with their organization’s security teams. Modern IT is now marked by such technologies and functions as analytics, automation, IoT, cloud computing, DevOps (and DevSecOps), virtualization, hyperconvergence, AI and machine learning—all of which are vital to security teams in fulfilling their core mission of risk mitigation.
Of course, reconciling the historically different focus of IT and cybersecurity ultimately comes down to leadership. CIOs and CISOs have to come to grips with the sources of tension and potential inefficiencies by sitting down and assessing how they can collaborate to achieve both always-available service delivery and higher levels of risk prevention, detection and remediation.
And what are some ways for them to get on the same page?
- No alignment, integration or reconciliation is possible without open communicationand full transparency. All parties need to put their cards on the table, set aside their egos and their fears, and take the first steps toward building mutual respect and trust.
- Integrating IT and cybersecurity oversight processes and people is essential. The people from both departments need to have very high levels of exposure to each other’s programs, including strength, weaknesses, assets and liabilities. Territoriality and provincial behavior must go out the window, so the IT folks must know what cybersecurity is grappling with, and cybersecurity should be aware where IT is headed.
- CIOs and CISOs should develop a plan to have IT people work more in cybersecurity programs—particularly those who have worked in legacy IT functions and may be looking for a new avenue for contribution in a more meaningful and personally rewarding way. Everyone is well aware of the yawning chasm that represents the cybersecurity skills gap, and many organizations are trying to find ways to re-task IT professionals as more IT functions are outsourced, automated, or both. You may even want to rotate people from the two departments—cybersecurity people working on DevOps programs, and IT folks doing cybersecurity analytics.
- There needs to be constructive but perhaps brutally honest conversations with IT professionals about their future roles in the organization. I remember the lessons at Netflix shared by Patty McCord, their former chief talent officer. She often told the story of having several senior managers from the company’s supply chain operation—the ones who handled the physical distribution of all those DVDs before streaming became prominent—in her office. She had to have some very tough conversations with them along the lines of, “You are really good at this, and you’ve helped us build a lean supply chain. But in three years, this may not be the right company for you.” In these cases, CIOs and CISOs need to think about the possibility that re-skilling may not equate to retraining, but to replacement.
This is a big reason why talent acquisition and retention may be the most important job for CIOs and CISOs, and one of the most strategic things both leaders need to work on—together—to ensure that IT service delivery and risk mitigation align to drive business outcomes for an organization.
Mike Towers is the Chief Information Security Officer at Takeda Pharmaceuticals International, Inc.