4

Your CIO—Your Cyber Enabler

The Chief Information Officer (CIO) is the organization’s executive in charge of, and accountable for, the administration, deployment, and use of information and computer technology.

The CIO’s role in an organization is shifting from delivering enterprise services to a enabling strategic business processes. This is evident, especially in recent years, with more organizations pushing digital transformation agendas. As technology advances and reshapes firms worldwide, the CIO profession has grown more popular and relevant. Today, the CIO studies how different technologies help the organization enhance existing business processes, decrease costs, and improve customer experiences, among other things, to achieve business outcomes.

The CIO has evolved from simply selecting technologies to making business-critical decisions on technology adoption based on a sound IT strategy matched against an enterprise architecture that scales with the business, maintains operational stability, and drives cost efficiency. Cyber resilience is a natural extension of a CIO’s activities to help attain these goals.

The CIO’s remit is already large and cyber resilience is a specialized knowledge area. Just as with the CFO and CRO, to expect a CIO to also possess the full breadth of cybersecurity knowledge would be a stretch too far. This is where the CISO steps in.

The Chief Information Security Officer (CISO) role is centered on preserving the confidentiality, integrity, and availability of an organization’s information and technology assets. The CISO role complements the CIO’s role, the latter of whom is more focused on securing appropriate tools to enhance productivity, identifying trends that affect the business, and identifying possibilities to use and create better technology adapted to the firm’s business models.

CISOs and CIOs often work together and support each other in preserving and protecting an organization’s information and technology assets. According to the 2021 ISACA State of Cybersecurity survey (https://www.isaca.org/resources/infographics/state-of-cybersecurity-2021-part-2), of the 3,700 global cybersecurity professionals surveyed, 48 percent of security teams report to a CISO while 25 percent report to the CIO. Notably, respondents did not demonstrate a preference to whom cybersecurity ownership should belong. However, the survey does make apparent that the ownership of cybersecurity—whether the CIO, CISO, or CRO—does weigh on how the C-level executives respond to the valuation of cyber-risk assessments, whether the board of directors prioritizes cybersecurity, and whether there is strategic alignment between IT and cybersecurity.

In today’s environment for building cyber resilience, it’s more important than ever for a CISO and CIO to collaborate to maintain compatibility between the IT strategy and the cybersecurity strategy. Doing so will allow for the best organizational outcome. There are already industry discussions today on how the accountabilities between the CISO and CIO are distinct enough for the functions and ownership of information security to be split, where the CISO no longer reports to the CIO. However, this is still a fairly fresh perspective that requires time to be tested.

To better understand the CIO, we will cover the following topics in this chapter:

• Understanding the CIO’s role and the impacts their decisions have on cybersecurity
• Challenges a CIO may face with the current reporting lines
• Getting ahead of cybercriminals
• How the CIO supports your security
• Questions to ask your CIO

Understanding the CIO’s role and the impacts their decisions have on cybersecurity

Today, the CIO is the most senior executive in an enterprise who enables the business with technology solutions. Sometimes, in smaller organizations, this role can be referred to as the IT director.

The role of the CIO has evolved significantly throughout the years. Starting in the 1980s, businesses started utilizing technologies such as computers, databases, and even communication networks as a way to improve workforce productivity. This meant that the CIO was highly focused on technical solutions for a very utilitarian purpose. As business needs have changed, with technology universally seen as a business enabler, the importance of the CIO has expanded. Nowadays, CIOs must possess various hard and soft skills to succeed in this position, striking a balance between business requirements and organizational productivity with the appropriate technology solutions, while operating their very own business unit to support it all.

Rogier Roelofs, Asia Pacific CIO at ABN AMRO Clearing Bank, added his top three recommendations for the enablement of our CIOs:

• Be aware of the regulations around information and cybersecurity. It is an increasingly complex area, especially for companies operating across different countries. This creates a lot of complexity because the CIO has to think about different requirements in multiple jurisdictions and how to comply with all of those items at the same time. Where in the past CIOs would mostly think about compliance and regulations as a geographical concern related to the jurisdiction in which they were located, nowadays you will not get away with that. The CIO needs to have a holistic cross-border view of distributed, processed, and stored data. 
• Most organizations designate one person to be ultimately accountable for cybersecurity. However, it’s the responsibility of all senior management to manage cybersecurity risks in their areas and protect the interests of all stakeholders. Unfortunately, many executives do not see cybersecurity as a senior leadership issue, and therefore, creating cyber-savvy boards is of the utmost importance. The role of the CIO is to take ownership and develop a robust cybersecurity culture. This does not simply mean implementing various policies and procedures. Instead, senior management must make clear through their own actions that cybersecurity is essential to the organization’s mission, and the CIO should take the lead in this by creating transparency, accountability, and strong communication within the organization. 
• CIOs should embed cybersecurity into the company’s software development processes. Although the focus is a lot on DevOps, this is not good enough, as it should be DevSecOps. This means everybody in the IT organization needs to have the mindset that they are responsible for fast and secure software delivery.

To ensure the organization stays ahead, CIOs often establish strategies and roadmaps so core technology systems are selected that are appropriate to the organization’s business needs, enabling the business to remain competitive in a fast-changing global marketplace. The CIO’s technology strategy can include the adoption of innovative and disruptive technologies, such as cloud computing, artificial intelligence, virtual reality, and even drones.

A CIO’s primary role is to forecast the future of computer technology advances that will provide their corporation with an edge over its competitors. One of the most important tasks of a CIO is understanding how each business unit or department operates, establishing the technological requirements and choices, and providing a clear return on investment (ROI) to their business stakeholders. The day-to-day operations of maintaining the technology landscape are often delegated and/or outsourced by the CIO.

Rapid technology adoption

A 2020 McKinsey Global Survey of executives (https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/how-covid-19-has-pushed-companies-over-the-technology-tipping-point-and-transformed-business-forever) indicated that the COVID-19 pandemic accelerated digital transformation efforts by three to four years. More surprisingly, digitally enabled products were advanced by a shocking seven years. At the same time, anecdotal observations show that cybercriminal organizations have also followed the same trajectory, progressing through their own digital transformation by matching and responding to the new ways of working their targets have adopted as a result of the pandemic.

As organizations continue to reimagine and revamp their processes, technology, resourcing, and customer experience, there needs to be an equal, if not greater, awareness that cyber threats such as account takeovers, business email compromises resulting in wire transfer fraud, and ransomware attacks against organizations are also accelerating at a rapid pace, too. A prudent CIO understands that creating new customer experiences while adopting new technologies might seem exciting, and often provide a great ROI. However, a misjudged choice could also lead to significant financial losses and undue business risk.

No matter what drives an influx of new technologies, CIOs cannot ignore new technology solutions that solve business issues or improve customer service for their organizations—but at what cost? New technology is exciting and eagerly anticipated. It also often is held that the older (more mature) a technology is, fewer bugs and security vulnerabilities exist, having been addressed in new releases. Therefore, a newer technology theoretically may have more undiscovered security vulnerabilities.

Balancing digital transformation

A CIO must always consider the balance between business drivers, the risk of unmitigated and undiscovered security vulnerabilities, and the likely costs and financial losses following a cyberattack or a data breach. Another consideration is whether new technologies are on-premises-only solutions, which require ongoing operational expenditure (OPEX) to support and secure.

To illustrate this, let’s consider three scenarios that highlight the struggle between innovation, future investment, and liquidity management. These scenarios will show how the CIO’s decisions affect the organization’s cyber resilience and financial stability.

• The CIO chooses an Internet of Things (IoT) technology that has been purchased from an innovative new start-up that is a minimum viable product (MVP) to its solutions, meaning the product is still under development and has the minimum possible functional and security requirements. The offer is financially attractive, and the product gives a competitive edge to the CIO’s organization. However, because it is an MVP, it often means that the product does not include enterprise-grade security controls or fully meet compliance requirements. Therefore, the start-up is challenged to fulfill its obligations when a larger organization requests a third-party security assessment.

While the CIO’s decision is not wrong when deciding to work with a start-up, the CIO would need to consider the costs associated with securing the MVP product and/or even taking the start-up within the CIO’s organizational security umbrella. A CIO needs to be aware of those challenges.

• The CIO chooses to adopt artificial intelligence (AI) to enhance a production line’s productivity. This choice of utilizing AI introduces an unknown vulnerability, which leads to a cyberattack. The attack creates major delays by interrupting the production line and causes immense reputational damage to the organization. The organization also incurs massive financial losses as deadlines are not met and contractual obligations are breached.

While this scenario is specific to certain industries, the example highlights the importance the CIO and CISO need to put on assessing the risks associated with new technologies. Every technology comes with new cyber risks because no technology is secure by default.

• The CIO forecasts that cloud adoption will be driven by increased flexibility to access digital infrastructure and computing resources, underpinned by lower monthly OPEX costs. However, cloud adoption is approached with an “on-premises” mindset and architecture, meaning people who adopt cloud services configure it in ways that make more sense for on-premise systems. This will almost certainly drive up security costs because the security team will need to reconfigure traditional security solutions to meet the security requirements of the cloud. Security solutions such as the use of a next-generation firewall will need to run 24/7 on their cloud tenancy to gain full visibility. Or the company could opt for the more pervasive Web Application Firewall (WAF) to better control all web traffic, but this would no doubt drive up monthly OPEX costs. The CISO will also need to consider a security solution to improve cloud-service usage visibility through a Cloud Access Security Broker (CASB) to monitor the use of unsanctioned cloud services, as the corporate network is now exposed to more internet services.

Scenarios such as these show how any digital transformation driven by the CIO needs to be balanced between business requirements, innovation, productivity improvements, and cybersecurity. In almost all instances, any transformative changes in technology increase your organization’s exposure to cyber threats.

Complex regulatory landscape

In addition to cyber threats, CIOs need to consider the ever-expanding regulatory and compliance landscape relating to privacy and security. Noncompliance with, or breaches of, regulatory requirements must be taken seriously, as they often attract very large regulatory fines and, in most cases, the ability for civil lawsuits to be filed against the organization.

For example, financial institutions in the United States must comply with standards such as the Payment Card Industry Data Security Standard (PCI DSS), the Sarbanes-Oxley Act of 2002 (SOX, P.L. 107-204), the Gramm-Leach-Bliley Act, and the Financial Services Modernization Act of 1999, among others. Amidst these regulations, technology adoption and general digital transformation must take into account security, compliance, and privacy from the onset.

Third-party risks

Many technology service providers do place more focus on security these days, adopting secure coding practices and regular security penetration testing. However, many vendors do not yet have the adequate maturity or investment in cybersecurity to ensure the minimum fundamentals to maintain a resilient and secure solution. It is important the CIO understands the difference between a security activity (for example, checking the box after performing a penetration test) and mature security practice (understanding overall exposure risks).

Security, especially when using third-party vendors, should not be seen as a defensive expenditure with a low ROI but as a necessary and fundamental component of any organizational decision. Security should be considered early in the decision-making process rather than as an add-on at the end.

Having a better understanding of the CIO’s role, the next section draws parallels between the CIO and the CISO roles, and unpacks the differences.

Differences and commonalities between the CIO and CISO roles

The CISO reports to the CIO in many organizations, with a dotted line to the CEO. While this structure might be effective, the CIO and the CISO have different goals and priorities.

Both the CIO and CISO, as C-level and senior executives, primarily focus on strategic planning, innovation, leadership, and management. CISOs strategize for business cyber resilience while securing all company assets and data. They align security policies and practices with the company’s goals and risk tolerances. On the other hand, CIOs focus on the overall, broader strategic use and management of an organization’s technology and define the roadmap for the implementation and utilization of IT systems and technological tools.

IT and cybersecurity are two different domains, although sometimes they do intersect. The CIO is typically a skilled professional with a significant background in IT as well as having an understanding of enterprise business functions. They are focused on driving business value through the adoption and operation of technology. The CISO is typically a skilled professional with a significant background in information security management along with having an understanding of enterprise cybersecurity, information security, security governance, compliance, and risk; two very different roles for two very different domains. Table 4.1 is an excellent overview of the differences between IT and cybersecurity, and their priorities.

Table 4.1 – The differences between IT and cybersecurity

The commonalities between both roles include the need for extensive communication skills, leadership qualities, strategic understanding of business and technology management, and, especially, business alignment with cyber-resilient choices, ensuring secure innovation, proper cash-flow forecasting, and liquidity management.

In the next section, we take a deeper dive into the CIO’s role as it concerns cybersecurity.

Getting ahead of cybercriminals

Although handling cybercrime is challenging, there are ways that CIOs, with the CISO’s support, can outthink, outsmart, and outmaneuver cybercriminals. CIOs must play a role in driving technology transformation efforts that include planning for better cyber resiliency.

Theresa Payton, CEO at Fortalice, author of MANIPULATED: Inside the Cyberwar to Hijack Elections and Distort the Truth, and the first female CIO at the White House, shared her views with Shamane on the actions critical for CIOs to fortify resiliency in the face cybercriminals. To make an evolutionary change, her top three actions are:

• Understand and educate yourself about what drives human nature and incorporate that into your cybersecurity.
• Get to know the criminals. Create decoys of authentic-looking human profiles and systems that look valuable and leave them vulnerable to cybercriminals. Then, study the criminal elements that attack the decoys and learn from what they do.
• Beat the criminals at their own game. Leverage the power of AI and behavior-based analytics to create behavior-based profiles of criminal activities, and then use those profiles to create a digital bodyguard to protect employees and systems against digital criminal behavior.

If we study the human psyche, we can empower and inform ourselves to stop or slow growing cybercrime. Profiling cybercriminals and better understanding how they operate is another proactive step in building cyber resiliency.

The cybersecurity burden should not rest solely on a security team or a user’s shoulders. Instead, the CIO needs to build a digital bodyguard around each human and their digital life every single step of the way. To begin, Theresa recommends CIOs take two critical actions:

• Know your user stories. Start collecting your organization’s user stories now. Don’t try to fix things at first; just listen. Listen for the opportunities to redesign your process and security around the employees’ experience using the technologies.
• Focus on awareness and behavior. Leverage AI to study legitimate use cases and behavior at your organization and then train the AI to alert your security team when behavior doesn’t match that baseline.

Give your users a safety net by installing easy and elegant Multi-Factor Authentication (MFA) options—there are some great technologies out there, and the benefits of using them are significant. According to research studies conducted by Microsoft (https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984), MFA stops 99.9% of password-based cybercrime in its tracks.

Magda recalls a CIO who was hesitant to implement MFA, due to concerns about low user adoption. Magda provided an alternative by making MFA optional initially and enforceable afterward. This approach worked, demonstrating that there is always a compromise to be found.

In the next section, we will discuss additional important activities where a CIO can clearly support the firm’s cyber resilience.

How the CIO supports your security

The CIO focuses on managing the information technology for the business while balancing business goals, ensuring competitive edge, and advocating for innovation, all in alignment with the CISO to ensure that security and privacy are part of the technology roadmap. The CIO’s role in cybersecurity extends further, ensuring the effectiveness and continuity of operations. Rogier Roelofs of ABN AMRO Clearing Bank puts it very clearly:

“Although the CISO might be primarily responsible for the cybersecurity roadmap, the CIO should have an in-depth understanding of how this affects the IT landscape and the consequences for the business, something the CISO doesn’t have. I do see too many CIOs being very traditional in how they see their role and responsibilities. Too old-school. They are too closely focused on the IT landscape itself and therefore missing out on what this means for the business. CIOs should utilize their technical know-how with a robust knowledge of the business side of the organization, increasing their visibility and authority through strong communication about cybersecurity so the environment can act accordingly.”

This requires a strong relationship and regular collaboration between the CIO and CISO. Security might be perceived as a challenge or an issue by the CIO, slowing down specific deployments or initiatives. Rather than seeing their roles and goals as a conflict of interest, the CIO and CISO should collaborate on cyber strategy.

Because the CIO has a holistic understanding of the business activities and business model, they can consider all implications and discuss those with the CISO to find the right balance between cyber risk, business operations, and revenue. Such discussions support finding compromises with a balance between usability and security for end users, a common concern for all parties.

Having the latest security solution is not a foolproof answer to securing an organization. Instead, a collaborative approach to focus on people and culture is critical, and this requires the CIO’s support and leadership.

The following list details some of the activities of the CIO and their role in supporting cyber resilience:

• Establish goals and plans for the company’s information technology strategy, considering cybersecurity and privacy as key decision-making components.
• Choose and install appropriate technology to simplify all internal processes and optimize their strategic advantages while balancing security and privacy.
• Don’t compromise usability for security; discuss with your CISO and find the right balance.
• Enhance the consumer experience by designing and customizing technical systems and platforms, focusing on cybersecurity and privacy as a differentiator and added value instead of cost.
• Plan the installation of new systems and give directions to IT specialists and other organizational personnel, while ensuring the CISO’s security requirements are met. This includes managing the expectations of business stakeholders in relation to the organization’s exposure to cyberattacks and data breach risks.
• Approve technical equipment and software acquisitions, and form strategic alliances with IT companies while considering their security and privacy posture, to support the organization’s cyber resilience.
• Supervise the organization’s technical infrastructure (networks and computer systems) to guarantee optimal functioning, and leverage this to support your CISO’s priorities in detecting and responding to security events.
• Manage initiatives using information technology while involving your CISO in the initial steps. It is always cheaper to build security controls into a solution versus applying remediations when a vulnerability is compromised, or an attack occurs.
• Keep an eye out for innovative solutions or improvements in technology that might give the business a competitive edge while always remembering that cyber maturity varies from company to company, from country to country, and from function to function.
• Analyze the costs, benefits, and risks associated with information technology to advise management and make recommendations while considering potential financial losses and important security investments when making technological choices.

As digital transformation continues apace and the threats of cyberattacks remain ever present, the CIO can and should play a vital role in building and maintaining an organization’s cyber resilience. In the next section, we focus on the questions that you should ask your CIO.

Questions to ask your CIO

The following questions help frame the cybersecurity considerations for a CIO and empower them to make decisions in alignment with a business’s resiliency goals:

• Do we treat cybersecurity as a business or IT responsibility and risk?
• Do our security goals align with business priorities?
• Is our current IT architecture designed for cybersecurity?
• Is the business going to embark on any significant programs in the upcoming years, such as digital, big data, cloud, mobility, outsourcing, or third-party ventures and what are the cyber risk concerns?
• Do we initiate decisions with a consideration of privacy and security?
• Do we consider cybersecurity investment while discussing new technologies?
• Do we evaluate our vendors and technologies for security risks before making strategic decisions?
• What is the most critical information collected and held by the business, and are they aware of the level of protection required for that information?
• What balance do we consider between usability and security?

This list serves as a healthy baseline and an internal checklist to guide CIOs in their execution of the roadmap.

Summary

In this chapter, we defined the CIO’s role in building a cyber-resilient business. Cybersecurity is a massive undertaking. It necessitates acquiring diverse skills and specialized talents. It certainly requires collaboration and support from key stakeholders, including between the CIO and CISO.

We emphasized various cybersecurity considerations, including additional investments, cash flow, liquidity, and usability. Cybersecurity is a business enabler, and a balance between usability and security is a matter of finding the right compromise. In a strategic role that ensures any technological adoption is in support of the business having a competitive edge, the CIO cannot ignore the requirements for cybersecurity. It must be embedded in the decision-making process and the overall digital transformation and technology adoption.

The CIO must empower and support the CISO’s strategy and goals. This is accomplished by listening to each other and understanding the other’s perspectives; doing so is an essential requirement for success—the end goal always being to keep the business prosperous.

In the next chapter, we look more closely at the role of the CISO. We will define their role in detail and go further into their vital impact on cybersecurity.