Productivity vs security: How CIOs and CISOs can see eye to eye

When it comes to cybersecurity, organizations often tread a fine line. Of course, they want the most robust defense possible. But at the same time, they don’t want the solutions to over-burden employees with intrusive security requirements that slow productivity. 

A perfect example is multi-factor authentication, or MFA. While it’s been proven to be a strong deterrent against the rising number of identity-based attacks, many organizations have been slow to adopt the common-sense security protocol because employees hate the extra steps required to log in to regularly-used systems. 

It’s often up to the CIO and the CISO to manage the delicate balance between safety and efficiency. And as cybersecurity increasingly becomes an enterprise-wide risk, amplified by the new risks that might be introduced by the anticipated growth of AI within most businesses, the CIO and CISO must work closer than ever to ensure their company’s IT assets are protected — with the least interruption possible for end users. 

For many years, organizations often viewed cybersecurity as a “check the box” function. Businesses may have done the bare minimum to comply with standards like those from the National Institute of Standards and Technology (NIST). But amid a surge in both the cadence and type of incidents, organizations are now realizing the potential financial and reputational risks of a cyberattack.

And in the same way the Enron scandal two decades ago launched a new generation of compliance requirements for businesses, elevating the role of chief financial officer to greater prominence within the C-Suite, the growing frequency and intensity of cyberattacks is today putting a bigger spotlight on the CISO. 

And yet, as many CISOs take on more risk and compliance responsibilities, it’s imperative that security professionals learn how to work more closely with the CIO, whose team owns operationalizing many security practices and procedures.

Understand the divide

While CISOs spend their days worrying about detecting and recovering from a cyberattack they know will inevitably happen, CIOs might be spread too thin to fully absorb those risks. Instead, their mind is racing with thoughts on how to modernize their company’s infrastructure and ensure the workforce is more productive. And increasingly, CIOs are being tasked with managing the organization’s AI strategy.

As a result, it’s not uncommon for the two roles to be in conflict. CIOs are usually inundated with complaints from employees about any additional step (like MFA) that separates them from the work they need to do. At the same time, the CIO needs to understand how changes that might enhance productivity could create severe security risks.

For example, if several employees on a video conference call are all recording the session, there are now multiple files, possibly stored in different locations, that contain potentially sensitive information. Considering the number of video calls that likely occur across a large enterprise on a given day, it’s easy to see how the resulting security vulnerabilities could become a big concern for the CISO.

Hire the right CISO for the business

In order for the CIO-CISO relationship to work, businesses also need to understand the type of skill set they require in a CISO right now — and the type of expertise that will be needed to push the organization forward. 

For example, even most mid-size organizations might not be prioritizing cybersecurity yet. Of course, they understand the severity of the threat landscape. But their risk management committees might be focused on other issues, like diversifying the supply chain to ensure future manufacturing capabilities, rather than thinking much about IT security.  

In this instance, it would be wise for the organization to hire a CISO who would bring new focus to the technical aspects of defending the company’s IT environment and developing a recovery plan in response to the inevitable attack. However, when the business reaches a certain size, investors will start demanding that cybersecurity be treated as an enterprise risk, raising it to a boardroom-level issue. And that’s when the company should consider hiring a CISO who has a more compliance-related background. 

Once the right candidate is in the organization, the CIO should also make sure the CISO is set up for success. If the CISO’s top mandate is tilted more towards corporate risk management, for example, then the business should hire a deputy chief information security officer (we call it a “lowercase ciso”) — someone who is tasked solely with managing the technical side of the defense operation. 

That way, the CISO can instead spend more time aligning with the CIO on the broader cybersecurity strategy and communicating those plans to other leaders, including the board of directors. Meanwhile, the “ciso” can handle the day-to-day work, perhaps even doing some coding themselves. 

Connect the CISO to the business

The CISO can be a difficult position. The typical mandate – to protect what are increasingly complex and widely-dispersed IT environments – is incredibly broad. At the same time, CISOs have little domain control. They must work across the entire enterprise and get buy-in from several key stakeholders to implement the necessary procedures and policies. 

Often, CISOs face stiff resistance from the business, especially if the security chief wants to implement measures that would impact how business-unit leaders and their teams are used to working. It’s why the CIO must make sure the CISO has a direct line of contact to the appropriate leaders, whether that’s the CMO, the CFO, the global head of sales or any other function with a corresponding executive leader. 

And while the CISO won’t have final authority, those divisional leaders should take the security chief’s recommendations seriously. The CIO can aid this effort by aligning with the CISO so they are in agreement on what should be implemented. 

Empower the CISO to lead during attacks

When it comes to basic operational issues, like a cloud storage center going down, the CIO should take the lead. However, when a cyber incident occurs, the CISO should have the authority to execute the established response plan to ensure a timely and thorough recovery, with minimal downtime and data loss. 

But CISOs also must understand where their authority ends. For example, in the event of a ransomware attack, the decision to pay would ultimately come down to other leaders in the business, like the board of directors and the CEO. 

The rise of AI and the push towards becoming a digitally-connected business is putting fresh attention on the debate between enhanced productivity and increased security risks. Tilting too far in one direction could open the business up to more attacks or significantly hinder employees’ ability to do their jobs. In both cases, the company ultimately suffers. 

The divisions between IT and security are quickly disappearing; so should the organizational barriers within the business. And as technology drives more-and-more of a company’s core functions, it’s up to CIOs and CISOs to learn how to keep level the proverbial IT see-saw.  

Reza Morakabati is CIO of Commvault.