By David Shearer, CISSP, CEO (ISC)²
I was recently reading an article by my colleague, ISACA CEO Matt Loeb, that got me thinking. In his piece, Creating cyberculture, Matt creatively reworks the “cybersecurity is everyone’s responsibility” mantra with his seatbelt analogy. While I certainly applaud any effort to create an inclusive cybersecurity culture – and Matt has some great suggestions on how to do so – I believe most organizations simply are not ready. To build on Matt’s seatbelt analogy, we’re buckling ourselves into a car seat that’s not yet bolted to the frame.
Let me explain. We still have a great deal of work to do at the operational levels of most organizations that stems from a fair of amount of US vs. THEM within IT/ICT and cybersecurity teams often fueled from top-level conflict between CIOs, CTOs and CISOs.
There I said it. I don’t draw attention to it easily or carelessly. I say this based on my own experience and the experience of those I have mentored over the years. In far too many organizations, cybersecurity remains a poorly defined discipline with unclear boundaries and areas of responsibility. Despite these organizational headwinds, IT/ICT and cybersecurity professionals are doing their best every day to keep businesses moving, minimize risk and secure their data. I like to call this unofficial collaboration at the operational levels Shadow Cybersecurity.
While the concept of Shadow IT is by and large interpreted negatively, I view Shadow Cybersecurity in a positive light. Throughout my career in IT leadership positions, I was no stranger to hunting down rouge IT efforts in the shadows of the organization that ran counter to our enterprise architecture, policies, standards and procedures. These Shadow IT challenges remain today, and frequently occur when IT is viewed as unresponsive or not fast enough in delivering on business and mission requirements. This is not unlike the perception that cybersecurity slows progress and too frequently says ‘no.’ IT/ICT and cybersecurity face the same challenge in that they are often viewed by others in the organization as inhibitors vs. enablers.
Admittedly, I'm a bit old school. I came up during a time when cybersecurity was under the umbrella of Information Assurance, along with information security versus the all-encompassing definition of cybersecurity that's evolving today. However, contrary to what my wife might say, I've learned to adapt to the perpetual naming convention changes. So at the risk of demonstrating unbounded hypocrisy, I'd like you to consider the concept of Shadow Cybersecurity.
Those of us who came up through the Information Resources Management (IRM), CIO and CTO ranks had some level of cyber, information, software and infrastructure security responsibilities that were inherent to our area of responsibility. Today, the IT/ICT workforce still retains what I'll refer to as collateral cybersecurity responsibilities. IT/ICT staff are still responsible in many organizations for hardening mobile devices, laptops, storage devices and servers that are on premise and in the cloud under Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) cloud deployments. IT/ICT workers may never be interested in or consider themselves cybersecurity professionals, but it's likely for the foreseeable future that IT/ICT workers will continue to be the unofficial force multiplier for the CISO function. They often turn the nuts and bolts of the organization’s cybersecurity policy, standards and procedures, whether they get credit for it or not.
For the purposes of this discussion, I'm referring to this type of workforce multiplier effect that IT/ICT can have on enterprise cybersecurity as Shadow Cybersecurity. In this case, these IT/ICT workers have not gone rogue working in the shadows without oversight. They represent a hardworking community that cannot be overlooked by CISOs. The may never work for the CISO; they may never consider a pure play cybersecurity position, but they can and often are contributing in positive ways to the overall enterprise security posture.
Providing serious education and certification opportunities for these individuals can help establish a lexicon of understanding and best practices that build bridges and can lead the operational areas of an organization toward the cybersecurity culture Matt describes. In my view, IT/ICT has and will continue to cast a long shadow. With the right leadership and unified perspective, these resources can have a very positive effect and compounding impact on securing the enterprise.
Whether you're an IT/ICT professional or pure cybersecurity professional, I believe we all hope for the cybersecurity culture that Matt describes. However, I think we tend to focus too much on getting upper management, the C-suite and the board of directors onboard. We still need to continue to actively improve the relationship between CIO and CISO functions. Granted, sometimes the CISO works for the CIO, and I have heard of arrangements that are working. More often than not, I hear there's still relationship management and turf challenges. Do we really find that surprising? Was it surprising when the CIO positions started to emerge in organizations in the 1990s and the challenges of getting the right line authority surfaced? Are we surprised that the CISO role is still often too far down the organizational chart to have the authority needed? Will the CISO ever have the type of carte blanche authority they feel they need? Arguably not; so like the evolution of the CIO, the CISO needs to build rapport and find ways to advance the organization’s cybersecurity program. It may happen in some organizations, but it's unlikely in my view that the CISO will ever have line authority over all IT/ICT resources. Consequently, the concept of Shadow Cybersecurity is one a CISO should consider embracing and leveraging. Doing so can provide for the force multiplier effect that I've described. Granted, some organizations are already on their way, but others are just scratching the surface.
That's my attempt to shine some light on the concept of Shadow Cybersecurity as an organizational dynamic that, if treated properly, can have a positive impact on an organization’s cybersecurity operational readiness and culture. Establishing a common lexicon and best practices between CISO and CIO resources is paramount. For practitioners, working in the shadows isn't always a bad thing. Sometimes it means you're providing complementary, but sometimes unrecognized contributions to something inherently bigger than self like cybersecurity. To all the IT/ICT professionals providing Shadow Cybersecurity in accordance with best practices, thanks for your contributions to a safe and secure cyber world.
Please stay the course, but until we address these issues, you may need more than a seatbelt for this thrill ride. Sometimes it takes someone to call out the “elephant in the room” issue to evoke positive change. That’s my hope.