Negotiating the Conflicts between Cyber Risk Management and IT Infrastructure

Vennard Wright, President,Wave Welcome

Vennard Wright, President,Wave Welcome

As the C-level IT executive for multiple public and private sector organizations, I’ve oftentimes found myself playing referee and chief mediator between our IT infrastructure and information security teams. The tension of balancing the shifting requirementsof physical and logical security against evolving, tactical infrastructure needs and the burning desire to innovate is a struggle that many IT leaders wrestle with daily.

While serving in the capacity of Chief Information Officer (CIO), the IT Security leader reported directly to me in multiple organizations, but I’ve alsoexchanged notes with other colleagues who worked closely with a Chief Information Security Officer (CISO) as an organizational peer. This can occasionally lead to conflicts if goals, approaches, and objectives are not properly communicated, agreed upon, and aligned.

This is further complicated by rapidly evolvingstate and federal legislation which addresses the handling of personally identifiable information (PII) and organizations’ ability to protect this data.  In many cases this forces organizations with limited resources to become Federal Information Processing Standards (FIPS) 199 & 200, Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology (NIST) 800-37 and 53 compliant, which requires a significant effort in cases where there are limited protections in place at the application, database levels, and infrastructure levels, forcing IT leaders to quickly scramble into action to remediate potential vulnerabilities. 

The past few years have borne witness to highly publicized data breaches, ransomware attacks, and system intrusion, leading to a loss of credibility and revenue in most cases.  This oftentimes leads to a frenzied response from the IT team to lock down systems and prevent further intrusion, while putting controls in place that further restrict functionality and employees’ ability to access organization resources externally.

In response to the burgeoning threats, legislators have scrambled to put laws in place that sufficiently address the threats. One noteworthy example of relevant statements isa recent piece of legislation reads:

More language that outlines the intersection between IT Security and Infrastructure comes directly from FIPS Publication 200:

This means organizations will be required to prioritize the introduction of more robust protection measures into production applications while also leveraging their applications teams to upgrade to the latest versions to take advantage of more recent software security utilities.  

Oftentimes, this creates integration challenges for legacy systems, which may need to be upgraded or replaced.  In some cases, this could take multiple years, which creates greater expense for organizations and resource conflicts for IT teams that are already stretched thin.

To help mitigate these challenges, it’s helpful to ensure the following control mechanisms are in place:

System Inventory:Maintenance of an up-to-date inventory of all systems and their integrations in use.

Risk Categorization:Categorization of risk and security requirements for each infrastructure component.

System Security Plan:A comprehensive security plan and related processeswhich are updated regularly.

Security Controls:Series of enforced security controls to remain compliant with industry best practices.

Risk Assessments:Periodic three-tiered risk assessment, performed by a third party, using the Risk Management Framework (RMF).

Certification and Accreditation:Annual security reviews to identify and mitigate any existing vulnerabilities within the IT infrastructure.

For organizations to remain secure,the CIO and CISO must work together to implement controls, maintain current patch levels, and monitor systems to ensure that vulnerabilities are prevented, detected and mitigated as quickly as possible.

The cost and level of effort for implementing these security controls is not a small task.  Because of cost and resource constraints with existing IT resources, organizations are oftentimes forced to rely on external consultants who possess extensive experience with compliance standards such FISMA, GDPR, ISO 27001, and CMMCto help assess current environments and security controls.

The growing scope of information security and compliance has even necessitated the introduction of new roles to monitor and control the proliferation of personally identifiable information (PII) that could be associated with, or could reasonably be linked, directly or indirectly, with an individual or household.  Individuals whose data is encompassed by this definition may include, but are not limited to, customers, potential customers, and employees of an organization. 

These data privacy officers ensure that all PII collected or processed on behalf is handled in accordance with guidelines, meaning it cannot be sold, rented, leased, disclosed, disseminated, made available, transferred, or otherwise communicate orally, in writing, or by electronic or other means to another business or third party for monetary or other valuable consideration. 

Data privacy officers also ensure that PII is not used for any purpose other than the specific purpose for which it was collected, which means working closely with IT personnel to ensure proper controls are in place for data mapping and data loss prevention.

In summary, the IT security and IT infrastructure teams must work in tandem to ensure the following five elements:

1. Alignment with Industry Best Practices

2. Prevention of Data Loss

3. Awareness of Cyber Security Best Practices Across the Enterprise

4. Regularly Updated Policies and Procedures

5. Optimized Risk Posture

Of course, there is no guarantee that security incidents will never occur, but the likelihood is greatly reduced when the CIO and CISO work closely together to formulate and execute strategic goals that are mutually beneficial.

Read Also

Navigating the Changing Cybersecurity Landscape

Navigating the Changing Cybersecurity Landscape

Mark Leary, VP & CISO, Regeneron Pharmaceuticals
The Changing Facets in Enterprise Security Space

The Changing Facets in Enterprise Security Space

Greg Barnes, Global CISO at Amgen
Open Sources, Open Doors or How to Innovate in a Competitive Cloud Market

Open Sources, Open Doors or How to Innovate in a Competitive Cloud...

Garrick Stavrovich, the Lead Product Manager for Nasdaq’s Global Information Services
How AI will play a crucial role in the defense against cyber attacks

How AI will play a crucial role in the defense against cyber attacks

Scott Southall, Regional Head of Innovation, Asia Pacific, Citi
Building NextGen Enterprise Risk Management Capabilities

Building NextGen Enterprise Risk Management Capabilities

Chee Kong Wong, EY Oceania and EY Asia-Pacific Governance Risk and Compliance (GRC) Technology Leader
Implementing IAM to Boost Growth

Implementing IAM to Boost Growth

Tamsyn Weston, Head of IT Solution Development, EUROPEAN TYRE ENTERPRISE LIMITED