8

The CTO and Security by Design

The Chief Technology Officer (CTO) is an executive who handles an organization’s technical requirements and research and development (R&D). The CTO often reports directly to the Chief Information Officer (CIO) but in some organizations may report to the Chief Executive Officer (CEO). The CTO is also responsible for overseeing technology development for the company’s customers, and may handle internal IT operations for smaller companies that have no CIO.

When working with your CTOs, it helps to understand their priorities, potential conflicts of interest with the Chief Information Security Officer (CISO), and the importance of security by design and secure coding for the CTO’s role in cybersecurity.

We will cover the following topics in this chapter:

• The role of the CTO
• Why the CTO should care about cybersecurity
• How the CTO becomes a security ally
• Secure coding and secure software development
• Conflicts of interest and collaboration between the CTO and CISO
• Questions to ask your CTO

The role of the CTO

The CTO oversees and controls a firm’s IT components while also focusing on future business technology demands.

Responsible for the technological direction of a company, the CTO oversees R&D to ensure new products are innovative and effective. They also work with other departments to select and implement the best technical solutions for their needs. In addition, the CTO is often responsible for strategizing how technology can be used to achieve company goals.

Among the specific job tasks are:

• Defining technological objectives.
• Developing a technological approach to support business goals.
• Establishing a new infrastructure.
• Maintaining data security and network efficiency.
• Making technical advancements.
• Developing external customer-facing technology.
• Taking charge of initiatives in line with the target audience.
• Reviewing budgets and technology requests.
• Expertise in network architecture, big data, information security management, and software development.
• Innovation and thought leadership.

According to Deloitte’s research on CIO reporting lines (https://www2.deloitte.com/us/en/insights/focus/cio-insider-business-insights/trends-in-cio-reporting-structure.html), firms where the CTO reports to the CEO are more likely to have a comprehensive, enterprise-wide IT strategy than organizations with different reporting structures.

Regardless of who the CTO reports to, they are responsible for an organization’s technical implementation and advancements. As technologies evolve, the CTO is accountable for guiding teams through the adoption of new systems, processes, and procedures. Additionally, normally the CTO is in charge of all engineers and technology-related divisions as well.

With these roles and responsibilities, management skills are a key requirement of any CTO. As RubyGarage, the Ruby on Rails development company, notes, “… CTOs at some of the world’s most successful unicorns have mostly management-related missions.”

There are no limits to the challenges a CTO may face. In addition to ensuring C-level priorities and the digital team are operationally aligned, they must focus on boosting top-line growth and managing an aging infrastructure.

Depending on the size of your company, the CTO may have a dedicated security team who reports to them. If not, the CTO needs to work closely with your CISO and other department heads to ensure everyone is following best practices for security.

It is not uncommon to think the CTO is responsible for cybersecurity. Many people in positions of authority think cybersecurity is only about technology, therefore, the domain of the CTO or the IT department. But as we’ve noted throughout the book, cybersecurity is a complex process that involves people, processes, and technology. It’s not just about installing a firewall or a security software package.

However, not all CTOs have the necessary expertise in cybersecurity, and even if they do, it’s difficult to focus on both technology and security at the same time. That’s why many companies now hire CISOs to focus on the security component. CISOs are specifically responsible for security-related issues and can work with the CTO to make sure that the company moves in the right direction and builds cyber resilience.

The difference between a CDO and CTO

Organizations are increasingly recognizing the need for a Chief Digital Officer (CDO)—someone who can lead and coordinate their digital transformation efforts. The CDO role is still relatively new, so there is no one-size-fits-all definition of what it entails. However, common responsibilities include developing and executing a digital strategy, overseeing digital initiatives and projects, and driving innovation across the organization.

The CDO position generally reports to the CEO or CIO, and they may have a direct reporting line to the board of directors. They typically work closely with other senior executives, such as the CIO, the Chief Marketing Officer (CMO), and the Chief Operating Officer (COO).

CDO and CTO are job titles that are often used interchangeably, but there are some big differences between the two. A CDO is typically responsible for leading an organization’s digital transformation, which involves developing a strategy for how the company will use technology to improve its operations and grow its business. A CTO, on the other hand, is usually more focused on the technical aspects of the company’s operations, such as overseeing the development of new products and technologies.

Cybersecurity should be a chief concern for the CDO leading an organization’s digital transformation as a successful transformation depends on a secure and reliable infrastructure. If the organization’s networks and systems are compromised by hackers, it could jeopardize the entire transformation project.

Additionally, as more and more business is conducted online, the CDO is increasingly responsible for protecting the organization from cyberattacks. Given that most organizations are not very good at cybersecurity, the CDO has a lot of work to do in this area.

So, while the CDO is more concerned with how technology can be used to achieve business goals, the CTO is more focused on the actual technologies themselves. Both roles are important in today’s business world, which is why many companies have both a CDO and a CTO.

Why the CTO should care about cybersecurity

There are a number of reasons why cybersecurity is important for the CTO. First and foremost, as the executive responsible for technology solutions and data collection, cybersecurity is vital to protect a company against data breaches and cyberattacks. Data loss and downtime both have a significant impact on the company’s bottom line and reputation. Cybersecurity also helps to ensure compliance with industry regulations and standards.

In addition, CTOs must be concerned with cybersecurity just as they are with every other element of the company’s technology infrastructure. The CTO’s job is to advance the company’s technical agenda, and cybersecurity is an increasingly important part of that agenda.

As companies become more reliant on technology, the role of the CTO has evolved from that of a behind-the-scenes chief engineer to a more strategic role, overseeing all aspects of the company’s technology infrastructure. In many cases, the CTO is now a member of the senior executive team, reporting directly to the CEO.

With this expanded role comes increased responsibility for ensuring that the company maintains its security controls, and adopts new innovative technologies with appropriate security by default.

It makes sense to have a CISO as a colleague of the CTO in organizations that are either less digitally native or extremely vast or complex. The CISO and CTO should work alongside each other, reporting to the board and working to foster a culture of cybersecurity across a company. This entails not only determining what cybersecurity protocols are currently in place but also ensuring that the appropriate people, processes, and technology are in place as well. They also work together to develop incident response plans in case of a data breach.

This means the CTO typically focuses on big-picture issues, including planning for future technology needs, evaluating new technologies, and overseeing major projects, while the CISO focuses on more operational issues, such as day-to-day management of security policies and procedures and employees are following them. Of course, there is considerable overlap between these two roles, which is why the CTO and CISO must work closely together.

The CTO should design and facilitate a technology strategy, but every member of the C-suite should understand what data the firm has, how it is handled and secured, and what role each leader has in protecting that data. As stewards of an organization’s data, arguably an organization’s most valuable asset, it’s understandable that CTOs are worried about its exposure, unavailability, and even its accuracy. As technology is so important to many corporate functions, the CTO must verify that the technological solutions and services implemented remain operational. Any drop in performance or unforeseen failures could have a huge effect on the whole company.

Businesses should consider the sort of CTOs and CISOs that would work best for their organization, in accordance with its size, maturity, complexity, and current cybersecurity profile. According to an IEEE study of 300 CIOs and CTOs conducted in December 2016 (http://transmitter.ieee.org/wp-content/uploads/2017/03/IEEE-2016-CIO-CTO-Survey-Results.pdf), cybersecurity was the most serious danger they faced.

There’s nothing surprising about this. The CTO’s most essential cyber function is collaborating with the CISO to ensure cybersecurity is never an afterthought for their company, but rather a cultural necessity.

How the CTO becomes a security ally

The CTO can become a security ally by working with the security team to ensure all systems are properly patched and updated, firewalls and other security measures are in place and functioning properly, and user accounts are properly secured. The CTO can also help to identify potential vulnerabilities in a system and work with the security team to develop solutions.

The CTO’s top priorities should include a culture and work environment that cultivates cybersecurity as one of its foundational cornerstones. CTOs should set a good example for their employees and educate them on the significance of personal and professional cyber hygiene, including security in the technology development process.

Both before and throughout development, security must be a top priority.

The CTO can encourage cybersecurity literacy and awareness training within the organization. Working closely with the CISO can ensure that any implementation of digital platforms and solutions is appropriately protected against cyberattacks, as well as preparing and pushing for best practices in incident response (including simulated exercises and full-scale simulations). Finally, tight collaboration with the C-suite and board of directors can effectively promote a culture of security and cybersecurity readiness from the top down.

Additionally, the CTO can help to set up processes and protocols that will make it difficult for hackers to penetrate a network or steal data. They can also work with the marketing department to create messaging that will encourage users to take precautions when using company devices or accessing company networks. Ultimately, a secure system is good for business, and the CTO should be on board with making sure all systems are as safe as possible.

CISOs and CTOs can work together effectively by building a relationship based on trust and mutual respect. They need to understand each other’s roles and responsibilities and be willing to collaborate closely on projects and initiatives.

Ultimately, the goal is to create a secure environment for an organization while also enabling innovation. The CISO needs to be able to assess risk and make decisions accordingly, while the CTO needs to be able to balance security concerns with the needs of the business.

Secure coding and secure software development

The CTO of an enterprise is responsible for ensuring all security principles are applied within their tasks and teams. This means creating and enforcing principles, including policies and procedures that protect your company’s data, networks, and systems from unauthorized access or destruction.

One of the most important principles is secure coding. This means writing code that is more resistant to attacks and exploitation. CTOs should ensure their teams are trained in secure coding practices.

Another important principle is penetration testing. This involves simulating attacks on the company’s systems to identify weaknesses and vulnerabilities. There are a number of reasons why CTOs resist penetration testing. First, it can be time-consuming and difficult to find the right resources to do an effective job. Second, it can be expensive to hire consultants or purchase commercial tools. Third, penetration testing can generate security gaps that need to be addressed, potentially taking away from other priorities. Finally, there is always the risk that something will go wrong during the test and cause production outages or data loss. Thus, while penetration testing is important for security, CTOs come up with various reasons for not wanting to undertake this activity themselves. Nevertheless, CTOs should work with their security team to schedule regular penetration tests. It’s a key way to ensure the security of the organization’s data, applications, networks, and systems. The headache such testing may cause a CTO is nothing like the problems that will surface if there is a successful cyberattack.

Lastly, CTOs should promote a DevSecOps culture within their organization. DevSecOps stresses the importance of collaboration between developers, security teams, and operation teams. After all, everyone has a stake in the security of the company.

It is the CTO’s responsibility is to ensure developers have the tools and resources they need to do their jobs. This includes access to the code repository, that they have the correct versions of the software they need, and they have all of the necessary dependencies installed.

The CTO also needs to make sure that the developers are following best practices, such as using test-driven development, writing good code reviews, and using appropriate coding standards. Finally, the CTO needs to be available to answer questions and help resolve any problems that may occur. Software developers have generally been motivated to place greater priority on the rapid delivery of new features and capabilities. That should not be done at the expense of security.

It is difficult to integrate secure web application development testing technologies with traditional development tools and procedures. The pain of security testing, on the other hand, can be more readily reduced with software development and IT operations (DevOps). DevOps is a software development approach that emphasizes communication, collaboration, and integration between software developers and operations professionals. The goal of DevOps is to improve the flow of information and collaboration between software developers and IT professionals so that they create better software more quickly and efficiently.

DevOps is an approach, not a tool or technology. Some of the common tools and technologies associated with DevOps include Puppet, Chef, Jenkins, Nagios, Ansible, Git, and Docker; however, any tool or technology can be used in a DevOps environment, as long as it helps to improve communication and collaboration between developers and operations personnel.

In DevOps, security is no longer the realm of specialist security professionals but rather a standard aspect of the delivery process. Developers can simply and frequently build software that is free of defects by incorporating security into DevOps, which helps to speed up timelines and enhance the quality of each release.

The integration of DevOps is not a new approach for most businesses, but as pressure mounts to complete code development and move it into live production as quickly as possible, DevOps security becomes increasingly important—as code breaks, and bad actors use automated vulnerability-finding tools, not to mention regulators who keep a close eye on data breaches, software security becomes increasingly critical.

Traditionally, security has been more of an afterthought, and many security practitioners have advocated for DevSecOps to emphasize the idea that the security team should not be left out of the dialogue.

When it comes to DevOps security, the view is that security features and requirements are identified early in the development process, when they can be built into the software rather than added on at the end, incurring additional redesign/remediation costs and even having a direct impact on user experiences.

DevSecOps is the combined practice of DevOps and information security or, more broadly, the practice of integrating security into the software development process.

The goal of DevSecOps is to make it easier to write secure code and to catch potential security issues as early as possible in the software development process. This is done by bringing security engineers into the team early on, automating security checks into the build process, and using “secure” coding practices.

Conflicts of interest and collaboration between the CTO and the CISO

The CISO’s job is to secure a company’s systems and data, while the CTO’s job is to build and improve those systems. These two jobs can sometimes come into conflict, since the CTO may want to build new systems or enhancements that could potentially weaken security, and the CISO may want to hold back on changes until they can be fully vetted for potential security risks.

There can also be a conflict of interest if the CTO is also responsible for acquiring new technology for the company. The CISO needs to ensure these technologies are properly evaluated for security risks before being implemented, which could slow down the adoption of new technology.

There are a few key challenges that can crop up between the CTO and CISO:

• Misaligned priorities: The CTO is typically focused on driving innovation and growth, while the CISO is more focused on protecting the organization from potential cyber threats. This can lead to tension and disagreements about where resources should be allocated. From Magda’s (co-author of this book) experience, she has found there are usually two main areas of misalignment between a CTO and a CISO: budget and priorities. The budget is often the biggest area of disagreement. The CTO is focused on investing in new technologies and innovation, while the CISO is concerned with being appropriately financed to ensure the security of existing systems. This can lead to tension when it comes to allocating resources. Priorities can also be mismatched, where the CTO may prioritize new initiatives and projects, while the CISO may prioritize maintaining the current security posture and responding to incidents rather than introducing new technologies. Again, this tension can arise when decisions have to be made.
• Different skill sets: The CTO has a technical background and is typically more comfortable with technology, while the CISO has a security background and may not be as familiar with technology issues. This can also lead to disagreements about how best to address certain security concerns as it’s not surprising they may have different perspectives on how to do this.

However, it’s important they work together to ensure that all aspects of security are considered, and that any disagreements are resolved in a way that best protects both a company’s technology and its information. After all, if a breach occurs due to a lack of communication or cooperation between these two departments, both could be held accountable.

• Communication breakdowns: If the CTO and CISO are not able to effectively communicate, then they will not be able to achieve their desired outcome of building a cyber-resilient business. The CTO may not understand the complex technical details of the security measures that need to be put in place, while the CISO may not understand the business implications of certain technology decisions. This can lead to miscommunication and misunderstandings.
• Security as an afterthought: As mentioned previously, development teams might focus on getting a working product and leave security as an afterthought. The CTO and CISO must create a culture that maintains open lines of collaboration and communication.

The CTO’s and CISO’s teams can collaborate at a strategic professional level by finding a balance and compromise to better align their respective priorities. If that is not already built into the organizational culture, it needs to be. Security is no longer the domain of IT teams who come in after an incident to explain why and how your service failed, exhaustingly going through the hotfixes they’ve done to keep it running because of the security mistakes that were introduced when it was first deployed. Instead, they are now part of the team, integral to every step of the development process.

A DevSecOps approach helps the organization attain a stronger security stance while raising its agility and competitiveness. If done well, the security team will find themselves more motivated to dedicate time to higher-value work, such as threat hunting or dealing with critical-rated remediations, as opposed to repetitive cyber-hygiene work. The CISO’s duty is to identify and focus on security expenditures that will enable a firm to accomplish its strategic objectives with the minimum of acceptable risk, as opposed to the CTO’s function of raising awareness and providing resources.

Trust and leadership quality are both essential components in forming an authentic relationship.

Questions to ask your CTO

The role of the CTO is to ensure that an organization’s technology architecture aligns with its business strategy. There are a few key things to look for when trying to determine whether your CTO understands cybersecurity. First, does your CTO have a background in computer science? Second, does your CTO have experience in the cybersecurity field? Third, is your CTO up to date with the latest cybersecurity trends and threats? And finally, can your CTO speak the language of cybersecurity?

If you can answer “yes” to all of these questions, it’s likely that your CTO understands cybersecurity. However, if you can only answer “yes” to some or none at all, then it’s possible that your CTO doesn’t really understand it.

Given the increased importance of cybersecurity in business today, here are some other considerations you can discuss with your CTO to get a sense of how they approach cybersecurity at your organization:

• What steps have we taken to improve our cybersecurity posture in alignment with our CISO’s guidance?
• How do you evaluate what degree of risk is acceptable in our adoption of technology?
• Is there such a thing as too much security?
• How do you decide which security investments to make?
• Are you allocating appropriate spending to cybersecurity tools and controls that will safeguard our customers’ peace of mind?
• How would you respond in the event of a cybersecurity emergency experienced by a customer?

Summary

We have covered the different responsibilities of the CTO in detail, exploring the reasons why cybersecurity should matter to the CTO. With this understanding, we are able to mobilize the CTO as a powerful ally and utilize the DevSecOps approach to achieve your desired state, through close collaboration with the technology and development team.

As we come to the end of this chapter, it is important you take the time to reflect on what has been presented. You should also begin thinking about how you can put these concepts into action and begin hiring the right personnel to meet your cybersecurity and technology needs. Remember, a CTO is not a CISO.

In the next chapter, we will tackle the roles of the Chief Marketing Office (CMO) and Chief Privacy Officer (CPO) and examine how they can also advocate for cyber resilience. The CMO and CPO are the voices of your company in regard to online privacy. The CMO is responsible for communicating the company’s cybersecurity policies while promoting a shared understanding across all departments on how best practices can be implemented, ensuring everyone can work together toward building a cyber-resilient organizational culture. The CPO is responsible for maintaining privacy practices and compliance.