Thank you for Subscribing to CIO Applications Weekly Brief
Accomplishing Organizational Security through Shared Responsibility Model
Darrell Bateman, SVP-Chief Information Security Officer at City Bank
The demands on the Chief Information Officer (CIO) seem to increase with each passing year. The solutions for business problems, if not entirely technological, at least require more and more direct involvement from the IT departments of every organization. With each of these technology solutions, there are the usual considerations of infrastructure, cloud, integrations, support, long term sustainability, and information security. Fortunately, most large organizations now at least relieve the CIO of the burden of information security by having a dedicated Chief Information Security Officer (CISO). However, can today's CIO fully shift all responsibility for security on to the CISO? If so, how are the lines of responsibility drawn between the operational interests of the CIO and the security interests of the CISO?
In reality, the Information Technology (IT) and Information Security (IS) departments cannot operate effectively as silos in most organizations. For instance, a successful ransomware attack against the IT infrastructure is a highly disruptive event. Critical systems and services are either disabled by the attack or they must be shutdown until the source of the attack is identified and eradicated. This is a severe disruption to the operational goals of the IT department, but yet it is a "security" incident. Response requires the full attention of both the IT and IS departments. Even more, the planning and design of the infrastructure to prevent such attacks requires both teams to coordinate their efforts.
In another example, it is commonly recognized that vulnerabilities, i.e. unpatched or mis-configured systems, are an open invitation for exploitation by cyber criminals, resulting in data or intellectual property theft or exposure of sensitive customer information. Yet, IS does not typically patch vulnerable systems, nor install and configure those systems. If IT is not properly performing those functions, the IS department is where executives will look for an explanation when there is a major data breach.
Clearly, while it is practical, prudent, and sometimes required to separate responsibilities for Information Technology and Information Security, it is not clear as to how to actually accomplish this. Roles and tasks can certainly be divided among the technical staff of both teams, but ultimate goals of high operational availability and information security cannot be achieved without a high degree of coordination between the two teams.
In my experience, IT and IS tend to interface with each other in one of two ways - 1) Segmented Responsibility, or 2) Shared Responsibility. In the Segmented Responsibility model, responsibilities for various aspects of information security are clearly divided with the Information Security team reporting to a completely separate branch of executive management from IT. IS dictates security policies and standards that the IT team must follow. IS has direct control over many functions and services such as firewall updates, intrusion detection/prevention (IDS/IPS) systems, collection, analysis, and monitoring of system/application logs, vulnerability scanning, Identity and Access Management, cloud security administration, third party risk management, business resilience planning, and incident response. The relationship between IT and IS can sometimes be characterized as adversarial rather than cooperative.
In the Shared Responsibility model, the IT team takes ownership of certain aspects of information security, such as network/cloud architecture, secure configuration management, vulnerability remediation, firewall management, Identity Management, and DevSecOps. IT and IS work together to assess risk, formulate policies and standards, select technology solutions, and respond to incidents. The CISO and IS team may still report to a separate executive branch, but their relationship is typically characterized as collaborative.
The Shared Responsibility model promotes a team oriented approach to security, recognizing that the two groups (IT &IS) have important roles to play in the overall security of the organization
There are certainly pros and cons of both models. In the segmented model, decision making is more efficient, requiring less interaction, communication, and coordination between the two groups. Each team is also freed to focus on their respective primary objectives for the business. On the negative side, the interactions between the teams can easily become adversarial, and when security incidents occur, the teams can quickly seek to assign blame on the other.
The Shared Responsibility model promotes a team oriented approach to security, recognizing that the two groups have important roles to play in the overall security of the organization. Though the CISO still has ultimate responsibility for information security, the two teams work collaboratively to design and configure infrastructure, systems, and services to ensure maximum security as well as availability. The downside is the significant amount of coordination and communication required when assessing risk and making decisions. Blame for security incidents can still be cast between the groups as well.
I've worked in variations of both models during my career in IT and IS, and my preference is the Shared Responsibility model. I do recognize however that it takes commitment and mutual understanding between the CIO and CISO to make this work. When it does work, it can be a strong partnership that is also a win-win for both parties. The CIO can still be freed to focus on operational goals, while recognizing that information security incidents are a significant threat to those goals. Likewise, the CISO is freed to focus on information security while realizing that many operational aspects of IT are essential for preventing incidents.
Whichever model works best for your organization, CIO's and CISO's should realize that they cannot fully operate or achieve their objectives without the other. For me, I would rather be assured that the CIO has my back and vice-versa when it comes to keeping the organization safe and secure, or when maximizing availability and function for the business.