The Forward Leaning CIO

Dr. David Umphress, Director, Auburn Cyber Research Center, Auburn University and Frank J. Cilluffo, Director, McCrary Institute for Cyber & Critical Infrastructure Security, Auburn University

Dr. David Umphress, Director, Auburn Cyber Research Center, Auburn University

In the 1990s, trade publications portrayed “enterprise security” as the strategy an organization puts in place to protect information systems from unauthorized access. Today, trade publications paint “enterprise security” as the strategy an organization puts in place to manage the risk of unauthorized access to information systems. In other words, apart from recognizing the inevitability of unauthorized access, the underlying notion of “enterprise security” appears to have been unchanged for 30 years. At best, therefore, “enterprise security” is a backward-looking and outdated notion of security. At worst, it becomes a buzzword that blinds CIOs to the need for a forward-looking and more strategic conception of security.

The useful shelf life of “enterprise security” as a phrase and, more importantly, the meaning it evokes can be extended by taking apart the term and examining each piece, then reassembling it in light of the experience gained since the time of its inception.Frank J. Cilluffo, Director, McCrary Institute for Cyber & Critical Infrastructure Security, Auburn University

1. ‘Trust is the Coin of the Realm’: Re-envision “security” as “trust.”

Cybersecurity, perceived initially as purely a technical undertaking, has materialized as a vast field that is an amalgam of disciplines ranging from management to psychology to law enforcement to intelligence gathering and beyond. Despite this, its focus has been, primarily, on safeguarding the possession of information. Events over the past several years have suggested, however, that it is not sufficient to address the ownership of information – we must also consider how to protect its use. Privacy has thus begun to emerge as the flipside of security. That said, securing data is a difficult task; and containing its use is more so. Indicators point to an even more daunting challenge: information misuse or manipulation, meaning the alteration or fabrication of information in a way that it nonetheless appears genuine. This, of course, is not a new concept; but it is significantly magnified by the speed at which we spread information and the uncritical way in which we consume it. Bottom line: instead of defining security in terms of computer systems and information-as-data, the forward-leaning CIO should think of information as embodying meaning and trust.

Cybersecurity, originally perceived as purely a technical undertaking, has materialized as a vast field that is an amalgam of disciplines ranging from management to psychology to law enforcement to intelligence gathering and beyond

2. Broaden and deepen the notion of “enterprise.”

The CIO’s territory is traditionally perceived as being the organization’s IT infrastructure. While IT will continue to be a primary conduit for cyber mischief, it is not likely to be the only conduit, just the most visible. Hidden within many organizations is operational technology that relies on automation to run manufacturing machinery and control processes. OT vendors are only now beginning to incorporate security measures into their devices, meaning businesses that currently employ automation to produce a product or deliver a service are likely to be using equipment that has little inherent protection. While these systems are more difficult to penetrate and manipulate, they aren’t impervious to malicious activity. The most significant risk here is that we don’t know what we don’t know. The cybersecurity community has quite a bit of experience with IT breaches, but very little with OT breaches. Introduction of so-called edge devices – that make up the Internet of Things and the Industrial Internet of Things muddies the picture further.

The CIO’s purview has not only deepened; it has broadened. Whereas once considered the custodian of information within the organization’s information architecture, the CIO is now responsible for information that leaves the organization’s boundaries, whether intentionally or inadvertently. Regardless of the first product, an organization may lay claim to; every organization discharges information. Forward-leaning CIOs take a lesson from the environment community and focus on understanding what information is being emitted from their industry, determining the effects those emissions can have outside the organization, and controlling those emissions.

3. Participate in enterprise security

CIOs express frustration with the blame-the-victim stigma attached to cyber events. Enterprise security’s maturation from “if” to “when” (as an imperative) has been mostly inward-facing. It has yet to percolate sufficiently outside the security community. Why? CIOs say they face an overly litigious culture that is disinclined to understand the intricacies of information assurance, a reluctance among organizations in the same competitive space to share security information, limited options for reciprocity, and a lackluster response from law enforcement. Tellingly, CIOs point to the ever-increasing functions they have to oversee to fulfill their jobs. For example, few CIOs at the beginning of the enterprise security era would have envisioned collecting intelligence on and defending against foreign intelligence services as regular business activity.

Such frustration can be expected to persist – at least until policies are established to define clearly what and how much enterprise security is to be shouldered by the government versus the private sector. This would lay the foundation for putting in place thoughtful measures for dissuading and deterring malicious cyber events, ranging from more aggressively enforcing laws to imposing financial sanctions. A forward-leaning CIO would build alliances among private and public security officials to craft workable policies before it’s too late – when the heat of the moment of a significant cyber event results in unsustainable or ill-advised policies that arise in reaction to it.

The “best when used by” date of enterprise security is quickly approaching, if not here already. It can pass into the graveyard of other business concepts that failed to evolve. Or, it can be re-energized by re-imagining it in light of what the past 30 years have taught us. The choice is really up to CIOs – the forward-leaning ones.