IT Departments ‘Should Report’ To Cybersecurity Teams To Combat Threats

Traditional IT organisational structures could benefit from improved security if the hierarchy of the chief information officer and chief information security officer are flipped.

Traditionally, the latter (CISO) would report into the former (CIO); this could mean that decisions to adopt the latest technology, be it cloud, new mobile devices or some form of Internet of Things (IoT) network, could take priority over the risk they may pose to security.

Security firm Malwarebytes has taken a different take on this by flipping the roles somewhat and having Justin Dolly as both the CISO and CIO at of the company.

Moving security up the hierarchy

“We’ve seen traditionally that security is reported up to IT in most organisations; we’ve flipped it a little bit and IT is reporting into security,” Dolly told TechWeekEurope in an interview at IP Expo 2016.

“And the reason why we’ve done that is so that all the technology decision in the company are made with a security mindset and with security most definitely part of the equation when decisions are being made around which technologies to leverage, which solutions to use and which platforms to leverage.”

Given the increasing amounts of cyber threats being targeted at organisations of all sizes, Malwarebytes’ approach seems prudent, even if you discount the fact that it is a security specialist.

Dolly pointed out that increased tech adoption in enterprises continues to open up attack vectors: “Your endpoints are realty an area that are going to be attacked all the time.”

This further strengthens the idea that there are definite benefits to keeping companies safe if IT reports into security, in order to prevent over-zealous CIOs from rolling out a mass of tech that may lack robust security features and certificates.

Furthermore, security taking the lead could help companies keep up with all the emerging threats they face, such as zero-day vulnerabilities.

“Microsoft comes out with a Patch Tuesday every 90 days; it’s actually an interesting race condition to try and keep up with a 90-day patching cycle when you’ve got hundreds of thousands of machines,” said Dolly, discussing IT security in the healthcare sector.

For the full interview, take a look at the video above.

Quiz: What do you know about cybersecurity in 2016?