Mind the Gap Between IT and Security

Jane Frankland, a cybersecurity veteran and advocate for women in tech, recently joined Darren Thomson on the STRIVE podcast to discuss the critical gap between IT and security teams. With over 28 years of experience in the field, Jane brings a unique perspective, blending her background in art and design with her deep expertise in cybersecurity. Her insights are not only informative but also offer practical solutions for organizations looking to enhance their security posture.

The Gap Between IT and Security

Jane and Darren delve into the longstanding issue of the gap between IT and security teams. While both the CIO and the CISO aim to support the business, their objectives often conflict. The CIO is focused on innovation and digital transformation, driving the organization forward with new technologies and processes. On the other hand, the CISO is tasked with reducing risk and upholding compliance, which can sometimes be seen as a hindrance to the CIO’s goals.

This conflict can lead to the CISO being perceived as a disabler, rather than an enabler. Jane shares that this gap has existed for many years and is getting worse. She notes that CISOs are sometimes removed by CIOs because, in performing the duties of their job, they slow down the CIO’s mission. This highlights the need for better alignment and collaboration between these roles.

Bridging the Gap

Jane suggests several strategies to help these roles work better together:

1. Collaborative projects: Involve both the CIO and CISO in initiatives, such as cyber recovery planning and system patching, from the start. This enables security to be integrated into the project from the beginning, rather than being an afterthought.
2. Aligned incentives and KPIs: When both teams work toward the same goals, it encourages collaboration and fosters a more cohesive and effective approach to security.
3. Understanding the business: CISOs need to understand the business and build relationships with other stakeholders. This helps them serve the business better and avoid being seen as a disabler. Jane emphasizes the importance of CISOs being able to communicate the value of security to non-technical stakeholders.
4. Defining risk tolerance: Organizations should define their risk tolerance at the board level. This provides a clear framework for both the CIO and CISO to work within, and keeps innovation and security are aligned.

Cultural and Organizational Challenges

Jane also shares several anecdotes that highlight the cultural and organizational challenges in cybersecurity. She mentions that the gap between the IT infrastructure team and the security team has been a long-standing issue. The opposing objectives of the CIO and CISO can create a toxic environment where security is seen as a barrier to progress.

To address these challenges, Jane advocates for a cultural change. This involves embedding security into the organization, rather than relying solely on technology. She emphasizes the importance of leadership alignment and the need for the CIO and CISO to be on the same page at the board level.

Jane’s Impact and Advocacy

Jane’s extensive experience and unique background make her a valuable voice in the cybersecurity community. She is a brand ambassador and has been recognized on the King’s New Year’s Honours List for her contributions to the field. Her IN Security Scholarships have helped 442 women, significantly increasing cyber literacy and inclusion.

Her commitment to advocating for diverse perspectives, and especially supporting women, is evident in her work. Jane encourages non-security professionals to engage with security teams and increase their cyber literacy. This not only helps to bridge the gap between IT and security but also creates a more relevant and inclusive environment for everyone.

A Roadmap to Bridge the Gap

Jane and Darren’s conversation on the STRIVE podcast offer practical for organizations looking to better align their IT and security functions and leaders. By fostering collaboration, aiming for common goals, and embedding security into the organization, businesses can create a more secure and innovative environment. Jane’s advocacy for increased cyber literacy and inclusion further underscores the importance of a holistic approach to cybersecurity.

See the full episode here.