Corporate Tech Leaders Untangle Their Cybersecurity Roles - WSJ
Corporate Tech Leaders Untangle Their Cybersecurity Roles
CIOs and CISOs have found their security purviews converging and are trying to sort out the dividing lines
One adviser to business technology leaders recommends CIOs and CISOs establish clear definitions of ownership and accountability.
PHOTO: WOOHAE CHO/BLOOMBERG NEWS
By Belle LinFollow
Dec. 22, 2022 7:00 am ET
PRINT
TEXT
Information technology and cybersecurity chiefs grew closer than ever in 2022, a dynamic allowing for more comprehensive threat mitigation, but raising new questions over responsibilities.
Many executives now say that as their roles around cyber appear to converge, they are working to sort out the dividing lines between their shared security and IT responsibilities.
A few years ago, if organizations were hit with a ransomware attack, the chief information officer “would come running” to the chief information security officer for help in dealing with the aftermath, said Lena Smart, the CISO of database service provider MongoDB Inc.
Now, Ms. Smart said her security department works with CIO Mindy Lieberman to get ahead of ransomware attacks. About 50% of the company’s threat planning simulations, in which IT plays an active role, involve ransomware scenarios, according to Ms. Smart.
MongoDB CISO Lena Smart.
PHOTO: MONGODB INC.
Across organizations worldwide, CIOs and CISOs are redefining their relationships, a shift reflecting both a surge in high-profile cyberattacks, and cybersecurity’s steady rise to the top of CIOs’ priorities—the result of continuing IT modernization, analysts say. In the most common corporate structure, CISOs report to CIOs.
“It is cybersecurity. …That is the highest priority,” Chris Howard, chief of research at technology research and consulting firm Gartner Inc., told The Wall Street Journal earlier this year.
The accelerated adoption of cloud computing and cloud-based software in enterprise technology environments has also made the cloud “the main target for top-tier attackers,” said Phil Venables, the CISO of Alphabet Inc.’s Google Cloud.
That, too, has forged closer ties between CIOs and CISOs, as they put greater focus on protecting infrastructure across cloud environments, Mr. Venables said.
In some cases, CIOs and CISOs have “difficult conversations” about what priority the IT team should give to tasks like software patching and system monitoring, which are crucial for mitigating cyber threats, said Bonnie Titone, the CIO of utilities provider Duke Energy Corp. Those tasks can add to the workload of an IT operations team, Ms. Titone said.
Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
YOU MAY ALSO LIKE
Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
Play video: Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Photo illustration: Laura Kammermann
The Charlotte, N.C.-based power producer moved cybersecurity under Ms. Titone’s purview about a year ago, partly in response to cyber threats like the ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline in 2021.
“Being in a utility, specifically one of the largest, Duke’s kind of the 800-pound gorilla,” Ms. Titone said. “We generally have a target on our back.”
NEWSLETTER SIGN-UP
WSJ | CIO Journal
The Morning Download delivers daily insights and news on business technology from the CIO Journal team.
PREVIEW
SUBSCRIBE
Though the CISO reports to her, Ms. Titone said security has “the biggest bark in the room.” On the other hand, it is “IT’s job is to enable the company, or else you can’t build tools and rules and components. That stops you from innovating,” she said.
Jim Swanson, the CIO of healthcare-products company Johnson & Johnson, says although security sits within his priorities and responsibilities, he makes sure that CISO Marene Allison ‘s voice is heard. Ms. Allison is retiring at the end of the year, the company said, and will be succeeded by Gary Harbison.
“I’ve always made sure that it is a prominent function, reports at my leadership team table, it’s not buried in the organization, they have an independent voice,” Mr. Swanson said. “So when I talk to our board, I talk about our operational data, and my CISO does the presentations.”
At Adobe Inc., the CISO sets corporate cybersecurity policies but works with the IT organization to execute them, said Cynthia Stoddard, the company’s chief information officer. But there is also collaboration between them where “security may set the policy, but my team is raising, ‘Hey have you thought about this?’” Ms. Stoddard said.
Adobe Chief Information Officer Cynthia Stoddard.
PHOTO: ADOBE INC.
Prasad Ramakrishnan, the CIO and former CISO of software maker Freshworks Inc., said IT and security have shared roles in evaluating the cybersecurity resiliency of corporate software purchases. And in securing a hybrid work environment, his joint cybersecurity and IT roles included adding a new cybersecurity layer on top of cloud-based software on company laptops.
MongoDB’s Ms. Smart said that she is often collaborating with Ms. Lieberman to secure applications developed by the company’s software engineers for internal use. “We have a lot of bespoke tools being a tech company,” she said. “If we find something and it’s got a critical vulnerability, they’ll fix it immediately. That’s the agreement.”
As the demand for corporate security leaders has grown—along with elevation and visibility of the role—there is renewed interest in the dynamics between the CIO and CISO, said Alex Michaels, a Gartner adviser who works with IT leaders.
Mr. Michaels recommends that CIOs and CISOs “establish clear definitions of ownership, accountability as well as roles and responsibilities,” particularly for ransomware and malware attack scenarios.
“Regardless of the relationship between the CISO and CIO, it is important to remember that the business owners of information are ultimately accountable for protecting their own information,” he said.
CIOs and CISOs have found their security purviews converging and are trying to sort out the dividing lines
One adviser to business technology leaders recommends CIOs and CISOs establish clear definitions of ownership and accountability.
PHOTO: WOOHAE CHO/BLOOMBERG NEWS
By Belle LinFollow
Dec. 22, 2022 7:00 am ET
TEXT
Information technology and cybersecurity chiefs grew closer than ever in 2022, a dynamic allowing for more comprehensive threat mitigation, but raising new questions over responsibilities.
Many executives now say that as their roles around cyber appear to converge, they are working to sort out the dividing lines between their shared security and IT responsibilities.
A few years ago, if organizations were hit with a ransomware attack, the chief information officer “would come running” to the chief information security officer for help in dealing with the aftermath, said Lena Smart, the CISO of database service provider MongoDB Inc.
Now, Ms. Smart said her security department works with CIO Mindy Lieberman to get ahead of ransomware attacks. About 50% of the company’s threat planning simulations, in which IT plays an active role, involve ransomware scenarios, according to Ms. Smart.
MongoDB CISO Lena Smart.
PHOTO: MONGODB INC.
Across organizations worldwide, CIOs and CISOs are redefining their relationships, a shift reflecting both a surge in high-profile cyberattacks, and cybersecurity’s steady rise to the top of CIOs’ priorities—the result of continuing IT modernization, analysts say. In the most common corporate structure, CISOs report to CIOs.
“It is cybersecurity. …That is the highest priority,” Chris Howard, chief of research at technology research and consulting firm Gartner Inc., told The Wall Street Journal earlier this year.
The accelerated adoption of cloud computing and cloud-based software in enterprise technology environments has also made the cloud “the main target for top-tier attackers,” said Phil Venables, the CISO of Alphabet Inc.’s Google Cloud.
That, too, has forged closer ties between CIOs and CISOs, as they put greater focus on protecting infrastructure across cloud environments, Mr. Venables said.
In some cases, CIOs and CISOs have “difficult conversations” about what priority the IT team should give to tasks like software patching and system monitoring, which are crucial for mitigating cyber threats, said Bonnie Titone, the CIO of utilities provider Duke Energy Corp. Those tasks can add to the workload of an IT operations team, Ms. Titone said.
Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
YOU MAY ALSO LIKE
Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
Play video: Why Ransomware Attacks Are on the Rise and How the U.S. Can Fight Them
Ransomware attacks are increasing in frequency, victim losses are skyrocketing, and hackers are shifting their targets. WSJ’s Dustin Volz explains why these attacks are on the rise and what the U.S. can do to fight them. Photo illustration: Laura Kammermann
The Charlotte, N.C.-based power producer moved cybersecurity under Ms. Titone’s purview about a year ago, partly in response to cyber threats like the ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline in 2021.
“Being in a utility, specifically one of the largest, Duke’s kind of the 800-pound gorilla,” Ms. Titone said. “We generally have a target on our back.”
NEWSLETTER SIGN-UP
WSJ | CIO Journal
The Morning Download delivers daily insights and news on business technology from the CIO Journal team.
PREVIEW
SUBSCRIBE
Though the CISO reports to her, Ms. Titone said security has “the biggest bark in the room.” On the other hand, it is “IT’s job is to enable the company, or else you can’t build tools and rules and components. That stops you from innovating,” she said.
Jim Swanson, the CIO of healthcare-products company Johnson & Johnson, says although security sits within his priorities and responsibilities, he makes sure that CISO Marene Allison ‘s voice is heard. Ms. Allison is retiring at the end of the year, the company said, and will be succeeded by Gary Harbison.
“I’ve always made sure that it is a prominent function, reports at my leadership team table, it’s not buried in the organization, they have an independent voice,” Mr. Swanson said. “So when I talk to our board, I talk about our operational data, and my CISO does the presentations.”
At Adobe Inc., the CISO sets corporate cybersecurity policies but works with the IT organization to execute them, said Cynthia Stoddard, the company’s chief information officer. But there is also collaboration between them where “security may set the policy, but my team is raising, ‘Hey have you thought about this?’” Ms. Stoddard said.
Adobe Chief Information Officer Cynthia Stoddard.
PHOTO: ADOBE INC.
Prasad Ramakrishnan, the CIO and former CISO of software maker Freshworks Inc., said IT and security have shared roles in evaluating the cybersecurity resiliency of corporate software purchases. And in securing a hybrid work environment, his joint cybersecurity and IT roles included adding a new cybersecurity layer on top of cloud-based software on company laptops.
MongoDB’s Ms. Smart said that she is often collaborating with Ms. Lieberman to secure applications developed by the company’s software engineers for internal use. “We have a lot of bespoke tools being a tech company,” she said. “If we find something and it’s got a critical vulnerability, they’ll fix it immediately. That’s the agreement.”
As the demand for corporate security leaders has grown—along with elevation and visibility of the role—there is renewed interest in the dynamics between the CIO and CISO, said Alex Michaels, a Gartner adviser who works with IT leaders.
Mr. Michaels recommends that CIOs and CISOs “establish clear definitions of ownership, accountability as well as roles and responsibilities,” particularly for ransomware and malware attack scenarios.
“Regardless of the relationship between the CISO and CIO, it is important to remember that the business owners of information are ultimately accountable for protecting their own information,” he said.
