<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

Relationship Between CISOs and IT Teams

Missy Januszko| March 06 2017

| security

CISOs-and-IT-Teams.jpgThe CISO (Chief Information Security Officer) position is complex and demanding. With an ever-expanding threat landscape, the CISO navigates a complex web of responsibilities that run the gamut from staying ahead of cyberattacks, managing security teams, and analyzing and communicating potential risks to protect a company’s valuable electronic assets.

With such responsibility comes much difficulty.  A CISO requires the support of their surrounding IT team to improve the protection of their informational assets, but this support can often be hard to come by.  Communication and education can go a long way to bridging the gap between the CISOs and IT teams.

Patching:  A Cross to Bear

IT teams don’t always love patching. Every week, new patches are released to close security holes in operating systems and software, which means time and effort from IT where other work isn’t being done. And yet vulnerabilities are being exploited at increasing rates. 

Educating IT teams on the cost of a breach can help, and is likely part of a company’s compliance training already.  Making IT teams personally responsible via performance goals for hitting patching metrics can incentivize IT to ensure that the systems up to date on patches.  

Balance Between 100% Patching and Reality

One hundred percent compliance for patching is impossible. Many times it just so happens that a system is patched in the morning and has a new vulnerability announced that afternoon, and therefore already out of compliance.  CISOs and their teams are responsible for determining the risk of each vulnerability and a tolerable delta between patch release and patch deployment. 

Occasionally, the downtime required to patch a server can cost the business money, client satisfaction or retention.  Legacy systems can have little to no redundancy, and failover procedures in legacy systems are usually manual. This requires an IT team that’s already spread thin to spend an inordinate amount of time on patching and remediation.  

The Budget Crisis

Depending on the company’s organizational structure, CISOs and IT teams may be fighting for the same budget resources year after year.  It doesn’t have to be that way.  Consider those legacy systems that require manual tasks to patch.  It’s in a CISO’s interest to have the systems patched, and it’s also in their – and IT’s – best interest to keep the clients happy. 

Using the budget to invest in some load-balancing solutions or automation software is a great way to reduce the load on IT patching systems.  Eliminating these manual processes also means that the patching process could be performed quicker, which equates to more systems in compliance. This is a win-win for both the CISO and IT.

CISO and IT Teams Keeping Current

Another way the CISOs and IT teams can get a big bang for the shared IT budget’s buck is to ensure that technology is kept current.  Old hardware, servers, and desktops with operating systems or software where vendors are no longer issuing patches can create unsustainable technical debt in the form of unpatched security holes in your infrastructure.  Replacing old systems before they reach end-of-life can benefit both sides.

Change Detection

CISOs need to prevent, and where not prevented, detect, a potential compromise.  The IT team needs to detect unauthorized changes to the IT landscape with certainty.  Rogue devices, reboots outside a maintenance window, or unusual network activity can all be signs of a compromised system which an IT team will need to react to. 

Tools like Ipswitch’s WhatsUp Gold can quickly detect new devices with the Automated Discovery feature.  Using tools that can quickly identify and remediate these threats can go a long way to protecting a company’s assets.

Defining Security Metrics

It can be tricky to measure “security”, which is in direct correlation with a difficulty to measure a CISO’s value. Organizations need to prove they are doing enough to keep its assets safe.  Lack of effective metrics is a major issue, but there are some that can be useful.

CSO Online suggests a few good metrics for information security. Defense coverage, patch compliance/latency, and outside testing metrics, are some examples of metrics that can be used to determine the strength of your security program, but the measurement and data gathering for these metrics will also likely require the cooperation of your IT team.

Robust Security Controls and Architecture

Since data protection is the priority of a CISO, it will also be critical to have security controls in place for that data. Knowing where your data sits and where it is at a moments notice will help a CISO and the IT team if and when an audit takes place. A robust secure file transfer tool, such as MOVEit Transfer, can not only track your data at rest and in motion, but will also encrypt that data, maintainign compliance even when that data is moved.

Investing in security is like buying life insurance – you hope that when you need it, you’ve done enough.  CISOs and IT teams must share in the silent successes of an effective security strategy, because they also will share in the wrath and subsequent cleanup of a breach if they do not.

New Call-to-action

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Missy Januszko

Missy Januszko is an independent IT consultant, with more than 20 years of experience as an enterprise hosting architect, large-scale infrastructure designer, and hosted application designer. She specializes in DevOps, automation and configuration management, PowerShell, and Active Directory, and has broad experience across the entire line of Microsoft business technologies. Missy is a co-author of “The DSC Book” with Microsoft MVP Don Jones, and she is also a conference speaker on DSC-related topics. She is a contributor to a number of open-source projects, including “Tug”, the open-source DSC pull server, and “Autolab”, an automated, rapid-install lab build.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters.

Send Us a Note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.