Ideas Made to Matter
Cybersecurity
What CIOs should understand about adversaries and innovation
By
The responsibilities of chief information officers and strategists run the gamut, but at their heart is the requirement to keep IT systems safe.
During the 2018 MIT Sloan CIO Symposium, a panel of cyber experts considered the role of CIOs and chief information security officers, and what companies can do to balance security and innovation.
The CIO’s role
Quoting a statistic he’d heard, Lev Lesokhin, MBA ’00, executive vice president for strategy and analytics at CAST software company, said 84 percent of today’s cyberattacks are happening at the application layer.
You can assume “the adversary is inside your network,” Lesokhin said, so that last line of defense — and ultimately where the attacks are happening — is at that application and data layer.
If that data layer is the last line of defense, then a CIO needs to be the person leading that defensive strategy.
That’s according to Lance Weaver, vice president for product strategy and emerging services at Equinix — a global data center and interconnection provider. Weaver said about 80-90 percent of the internet flows through Equinix’s systems.
“Operationalizing security within an organization is critical,” Weaver said, and realistically the CIO has purview across the organization to ensure risk management.
“As we see more digital transformation occurring, more companies delivering digital products, the ability to own and integrate that fully within the company’s process is very important,” Weaver said.
Ensuring successful risk management for applications and data should be the job of a CIO, Lesokhin said, but that’s not the case today. CIOs should “own” cybersecurity, but too often the problem is being delegated to a chief information security officer, allowing a CIO to “wash [their] hands of it,” Lesokhin said.
Innovate to succeed
Innovation is another area where a company CIO and cyber team must balance risk with reward.
Don Anderson, senior vice president at the Federal Reserve Bank of Boston, said the bank doesn’t like any risk at all, but risk is necessary if it wants to innovate.
“I’m willing to take those risks, sign off on them, but I take an iterative approach to them,” Anderson said. “That tone from the top shows we are willing to innovate … but we’re going to do it deliberately.”
Weaver said innovation is critical for almost any business to succeed, and for his team, it’s more than just looking at the risk on the front end of idea testing. Weaver said if you take a step back and look at what you can “de-risk” on the front end of an idea, you’ll innovate much faster while also maintaining security.
But when it comes to designing a new idea, in this case, a software capability, security is still viewed as an obstacle, Lesokhin said. Just like old city buildings used to have only fire escapes for protection, software security is also bolted on after the fact.
When you’re designing a system that runs the digital door locks at a hotel, or software that manages the check handling for banks, “security needs to be part of the feature set,” Lesokhin said.
“All the stuff you loaded in for functionality,” Lesokhin said, “the security needs to be designed in at that point.”