A closer alliance can deliver benefits with cloud migration, DevSecOps, and improved decision-making
The rapid adoption of multicloud IT environments and the transition to hybrid workforces demand a new dynamic in the C-suite: a closer alliance between CIOs and CISOs.
By joining forces, CIOs and CISOs can strike a healthy balance between pushing the pace of tech innovation and mitigating risk. Moving to the cloud — especially to more complex multicloud environments — can occur more quickly and efficiently. DevSecOps teams can reduce the risks of onboarding new software applications. With greater collaboration, CISOs and CIOs can jointly assess the operational challenges and security risks when bringing on new technologies.
However, achieving all that requires the two executives to take on an agenda of shared goals. For example, CIOs must aspire to embed security into all new technology investments, while CISOs can’t let risk aversion slow the pace of digital transformation. For many organizations, it’s a tricky dance, but one that can only be accomplished with a common understanding that innovation and security are inextricably intertwined.
“You’ve got to navigate lots of landmines,” says Tressa Springmann, CIO of LifeBridge Health, a nonprofit healthcare organization. Adds Rick Miller, LifeBridge’s CISO: “Usually, you meet in the middle to achieve the right balance between security and operations.”
Making smart tradeoffs
At LifeBridge, which employs more than 12,000 people and operates six hospitals in and around Baltimore, Maryland, investments in new information technology — electronic health records, virtual telemedicine tools, and genomic diagnostic solutions — can also come with added security risks. Cybersecurity in the healthcare sector is already a critical matter, as cyberattacks have crippled hospital networks and impacted patient care. More than 40 million patients’ health records were exposed in data breaches last year, according to federal reports.
Despite the risks, “budgets in healthcare are not necessarily designed to invest in the very expensive tools needed to protect data,” Miller says.
This can force tough tradeoffs. When Miller proposed segmenting the hospital’s IT network to reduce the chance of a breach, it became clear that the change would be costly and demand more IT support. Springmann challenged Miller to provide more data about the project to justify the expense. “When CISOs and CIOs work together to ensure the economics work for an organization, instead of clashing, you can realize significant value,” Miller says.
In another instance, Springmann and Miller collaborated in assessing the IT systems of a recent acquisition. Springmann’s main responsibility was to survey the acquired company’s hardware and software, while Miller’s role was to conduct a security-risk assessment. But instead of defaulting to an adversarial process common in other organizations, Miller says, the two worked together to ensure that the purchase went forward and the risks were mitigated.
“This allowed a very principled view of the acquisition,” Springmann says. Adds Miller: “The security function is built into everything we do here at LifeBridge Health.”
Discovering joint payoffs of DevSecOps
Implementing DevSecOps — an organizational practice that shares responsibility for security among development, security, and IT operations teams when creating new software applications — is a logical place for CIOs and CISOs to beef up working relationships. For both, ensuring that software is resistant to cyberattacks is just as important as getting them up and running quickly.
DevSecOps as a practice is growing, according to survey data from 451 Research, part of S&P Global Market Intelligence, which found that 48% of development teams used application security tools in 2020, compared to just 29% in 2015.
“Imagine the potential benefits if these teams and processes were more collaborative,” says Gagan Singh, product marketing VP at Elastic. “Observability data could add more context for security teams as they work to quickly detect and respond to threats. At the same time, developers who are cross-literate in security technology could reduce friction in development by securing from the start.”
Moving to the cloud
Cloud migration is another area where organizations benefit from closer CIO-CISO collaboration. The cloud offers substantial business value in how organizations use and share information — and significantly changes the nature of cyber risks. This can be especially true when it comes to multicloud environments, which can lower some threat levels while adding to the burden of monitoring all that occurs in the cloud and keeping track of multiple controls and permissions.
Even as organizations benefit from greater collaboration between the CIO and CISO, the two roles continue to have separate priorities and responsibilities. That further raises the importance of regular communication between the two positions. Springmann and Miller, for instance, meet regularly every two weeks and reach out almost daily by text or phone.
“A lot of [our partnership] is about communication and personal relationships, and if you don’t tend to those two things, things can go awry,” says Mark Settle, a former CIO and author of Truth from the Valley. “People who are good at communicating and anticipating other people’s issues and needs can avoid most of the friction that can occur between two groups.”
Greater C-suite collaboration between the chief information officer and the chief information security officer is essential for enterprises that want to speed technological innovation while reducing security risks. Such blurring of roles can be difficult, but with shared goals, a commitment to communication, and organizational support, CIOs and CISOs can help ensure their companies safely accomplish their digital transformation.
Read this next: The multicloud advantage: scalability, reliability, flexibility