
The Forward Leaning CIO


Dr. David Umphress, Director, Auburn Cyber Research Center, Auburn University
In the 1990s, trade publications portrayed “enterprise security” as the strategy an organization puts in place to protect information systems from unauthorized access. Today, trade publications paint “enterprise security” as the strategy an organization puts in place to manage the risk of unauthorized access to information systems. In other words, apart from recognizing the inevitability of unauthorized access, the underlying notion of “enterprise security” appears to have been unchanged for 30 years. At best, therefore, “enterprise security” is a backward-looking and outdated notion of security. At worst, it becomes a buzzword that blinds CIOs to the need for a forward-looking and more strategic conception of security.
The useful shelf life of “enterprise security” as a phrase and, more importantly, the meaning it evokes can be extended by taking apart the term and examining each piece, then reassembling it in light of the experience gained since the time of its inception.Frank J. Cilluffo, Director, McCrary Institute for Cyber & Critical Infrastructure Security, Auburn University
1. ‘Trust is the Coin of the Realm’: Re-envision “security” as “trust.”
Cybersecurity, perceived initially as purely a technical undertaking, has materialized as a vast field that is an amalgam of disciplines ranging from management to psychology to law enforcement to intelligence gathering and beyond. Despite this, its focus has been, primarily, on safeguarding the possession of information. Events over the past several years have suggested, however, that it is not sufficient to address the ownership of information – we must also consider how to protect its use. Privacy has thus begun to emerge as the flipside of security. That said, securing data is a difficult task; and containing its use is more so. Indicators point to an even more daunting challenge: information misuse or manipulation, meaning the alteration or fabrication of information in a way that it nonetheless appears genuine. This, of course, is not a new concept; but it is significantly magnified by the speed at which we spread information and the uncritical way in which we consume it. Bottom line: instead of defining security in terms of computer systems and information-as-data, the forward-leaning CIO should think of information as embodying meaning and trust.
Cybersecurity, originally perceived as purely a technical undertaking, has materialized as a vast field that is an amalgam of disciplines ranging from management to psychology to law enforcement to intelligence gathering and beyond
2. Broaden and deepen the notion of “enterprise.”
The CIO’s territory is traditionally perceived as being the organization’s IT infrastructure. While IT will continue to be a primary conduit for cyber mischief, it is not likely to be the only conduit, just the most visible. Hidden within many organizations is operational technology that relies on automation to run manufacturing machinery and control processes. OT vendors are only now beginning to incorporate security measures into their devices, meaning businesses that currently employ automation to produce a product or deliver a service are likely to be using equipment that has little inherent protection. While these systems are more difficult to penetrate and manipulate, they aren’t impervious to malicious activity. The most significant risk here is that we don’t know what we don’t know. The cybersecurity community has quite a bit of experience with IT breaches, but very little with OT breaches. Introduction of so-called edge devices – that make up the Internet of Things and the Industrial Internet of Things muddies the picture further.
The CIO’s purview has not only deepened; it has broadened. Whereas once considered the custodian of information within the organization’s information architecture, the CIO is now responsible for information that leaves the organization’s boundaries, whether intentionally or inadvertently. Regardless of the first product, an organization may lay claim to; every organization discharges information. Forward-leaning CIOs take a lesson from the environment community and focus on understanding what information is being emitted from their industry, determining the effects those emissions can have outside the organization, and controlling those emissions.
3. Participate in enterprise security
CIOs express frustration with the blame-the-victim stigma attached to cyber events. Enterprise security’s maturation from “if” to “when” (as an imperative) has been mostly inward-facing. It has yet to percolate sufficiently outside the security community. Why? CIOs say they face an overly litigious culture that is disinclined to understand the intricacies of information assurance, a reluctance among organizations in the same competitive space to share security information, limited options for reciprocity, and a lackluster response from law enforcement. Tellingly, CIOs point to the ever-increasing functions they have to oversee to fulfill their jobs. For example, few CIOs at the beginning of the enterprise security era would have envisioned collecting intelligence on and defending against foreign intelligence services as regular business activity.
Such frustration can be expected to persist – at least until policies are established to define clearly what and how much enterprise security is to be shouldered by the government versus the private sector. This would lay the foundation for putting in place thoughtful measures for dissuading and deterring malicious cyber events, ranging from more aggressively enforcing laws to imposing financial sanctions. A forward-leaning CIO would build alliances among private and public security officials to craft workable policies before it’s too late – when the heat of the moment of a significant cyber event results in unsustainable or ill-advised policies that arise in reaction to it.
The “best when used by” date of enterprise security is quickly approaching, if not here already. It can pass into the graveyard of other business concepts that failed to evolve. Or, it can be re-energized by re-imagining it in light of what the past 30 years have taught us. The choice is really up to CIOs – the forward-leaning ones.
See Also:
Featured Vendors
THETA432: Performance, Precision, Efficiency, Visibility - The Key to Incident Response and Answer to the Talent Shortage
EveryCloud Technologies: Delivering Powerful Email Filtering Services" title="Graham O'Reilly, CEO & Co-Founder" style="float:left; margin-right:10px; margin-bottom:20px;" width="60px" height="50px">
EveryCloud Technologies: Delivering Powerful Email Filtering Services
Onepath: A Responsive Info-Security Management Framework – the easier way to dramatically improve your overall info-security posture
Covenant Security Solutions, Inc.: Revolutionary Solutions to Mitigate Security and Compliance Risks
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
COVID-19 Creates a Myriad of Compliance Challenges for Employers
Challenges that Compliance Officers face Today
Risk Exposures and How to Tackle them
Creativity Overcomes Scarcity
Putting The Customer At The Centre Of The Energy Transition
The Rise of Algorithmic Trading In The Power Sector
