These trade-offs are pinch factors that intersect with the CISO’s remit, highlighting conflicting priorities for each events. Over time, such conditions — and the way they’re dealt with and resolved — can result in actual friction between the 2 events. This friction will be overt, boiling over in public, or covert, the place it’s extra hidden from different colleagues or the CIO/CISO themselves.
Frequent CIO-CISO stress factors
In each mature enterprise dangers should be accepted in the interim, with remediation deferred. Vulnerability patching is one instance the place rigidity between the CIO and CISO can come up.
Within the case of extremely crucial vulnerabilities which have been exploited, the CISO will need patches utilized instantly, and the CIO is probably going aligned with this urgency. However for medium-level patches, the CIO could also be beneath stress to defer these disruptions to manufacturing techniques, and will push again on the CISO to attend every week and even months earlier than patching.
The identical rigidity exists for packages that affect digital buyer expertise. For instance, new multifactor authentication performance requires new buyer communications and maybe related short-term disruption of the channel, one thing that could be tough for the enterprise to just accept.
Or the CIO and the engineering workforce could also be working with enterprise models to facilitate new buyer options by way of an API platform. From the CISO’s perspective, these APIs have to be managed correctly, and even penetration-tested, to make sure they don’t create an surprising information loss vector. The CISO will need extra controls utilized, however the CIO, whereas agreeing in precept, should additionally fulfill the stakeholders by guaranteeing the characteristic is delivered, typically in a short while body.
Incident administration is one other are ripe for rigidity. The CISO has a management function to play when there’s a critical cyber or enterprise disruption incident, and is usually the“messenger” that shares the dangerous information. Naturally, the CIO needs to be instantly knowledgeable, however typically the small print are sparse with many unknowns. This will make the CISO look dangerous to the CIO, as there are sometimes extra questions than solutions at this early stage.
