CISOs and the Transformative IoT Cybersecurity Mandate
Through IoT, CISOs can redefine their roles as less risk-avoidance and more proactive risk-reduction
Although the “official” statistics remain a bit fuzzy, word on the street indicates an average tenure of 17 to 20 months for chief information security officers (CISOs). Although CISO employment longevity is improving across the industry, the problem remains particularly acute in health care. Lots of interesting anecdotes are offered up to explain the phenomenon, as clearly it’s a rather awkward, if not troubling, circumstance. Something has to give.
Some of the more common reasons given include suggestions that CISOs have a tendency to chase the latest and greatest infrastructural improvements yet fail to more quickly embrace point solutions that directly address well-known risks. It’s a rather ironic observation, as it’s said that CISOs are generally preoccupied with finding the balance between delivering an impact and “getting out” before they get blamed for something awful. While these and other opinions may be good fuel for IT cocktail parties, the analysis of such banter does nothing to improve the CISO condition.
Because the CISO role does not, as currently brokered, lend itself to lateral or upward organizational mobility, it needs to be redefined. And the conditions are ripe for it: Across industries, the explosive growth of all-things-IoT and the need to address the associated cybersecurity risks is forcing non-traditional collaborations. Cross-functional teams must converge to effectively address the problem within their organizations, providing CISOs with an unprecedented opportunity to provide the required leadership. Furthermore, because the latest and greatest IoT-specific solutions are laden with use cases that drive measurable operational improvements (i.e. ROI), CISOs are being provided cards that enable an entirely different playing hand.
Modern IoT cybersecurity solutions are founded on several common tenets; visibility, security policy creation, security policy enforcement and utilization. Despite rumors to the contrary, the vendors that focus on addressing visibility and utilization are highly differentiated. While some are capable of identifying an IoT device-type, others are now delivering device-specific attributes. Additionally, while some can provide selected utilization metrics of devices communicating via commonly known protocols, others are providing extraordinary levels of detail, regardless of how unique or exotic the protocol.
And that’s the game-changer. When the coverage is comprehensive and the data fidelity and quality are available, they are serving to bridge long-standing gaps in the tools/workflows of IT professionals, maintenance/operational engineers, supply chain/procurement departments and even financial offices.
For CISOs who remain uncertain about their roles, the opportunity with IoT devices is clear. It’s as obvious how utilization data can be used to enforce SLAs, inform more effective preventive maintenance scheduling, lengthen device life cycles and provide procurement the intelligence to more effectively plan, buy and capture contractually negotiated benefits. In other words, beyond providing more automated and effective means to identify, mitigate and remediate cybersecurity risks, these same data are now being used to enable a variety of unrelated operational improvements. The use cases are exploding. And the good news is, it’s all happening under the umbrella of an office that has been searching to strengthen its ROI mission to the enterprise.
So, the questions CISOs should be asking cybersecurity vendors need not be limited solely to matters specific to cybersecurity. CISO investigations should be expanded to include what additional data can be effectively parsed from the networks they manage for streaming to other operational systems that can benefit.
Put another way, CISOs must go out of their way to avoid the “insurance policy” metaphor. Their actions should not be centered on risk avoidance, but on programs that actively reduce risk through use cases that improve operational performance, save their organizations money and drive revenue. Instead of attacking goals that, while urgent, have been deemed far less strategic than the work of their C-level peers, solving the IoT cybersecurity problem presents CISOs a timely and rare opportunity. Given the high-profile nature of the problem—and the organizational benefits that accrue when effectively addressed—it can now be argued that CISOs have a mandate to drive bottom line-focused collaborations. At a minimum, such leadership will quickly serve to reshape outdated perceptions of their office.