As cyberspace has evolved and matured, the role of the CTO has become increasingly demanding due to the business-damaging nature of cyber threats, which are constantly changing and becoming more covert and sophisticated. Accordingly, the CTO needs to embed security in every technological aspect of their organization and collaborate with the CISO to ensure more robust security governance and efficient security operations (SecOps).
The role of the CTO in security can be described in six key areas, as follows:
1. Security Governance
Security governance requires strategizing and implementing the security defenses of an organization. This should be in the form of a 360-degree approach that closely evaluates and protects every asset of the organization, including the people and processes.
More notably, the organization must recognize that all of its data is not of equal value, and specific datasets need more protection than others. This tiered approach helps balance the risk of threats and helps allocate more resources to protect the most critical assets.
The CTO is well placed in the C-suite to have the authority and responsibility to engage senior management in understanding cybersecurity priorities and creating executive buy-in for cyber risk management programs. The CTO should help identify priority levels required for various datasets and invest the needed resources accordingly — budget, personnel and technology. This requires collaboration among senior management to determine the value of multiple data assets in an organization.
In engaging senior management, the responsibility lies with the CTO to help them comprehend how various security programs are effective and why cybersecurity should be considered a permanent capital expenditure, rather than allocating budgets reactively with respect to any recent security incidents.
2. Close Collaboration With The CISO
In almost all industries, growth and business sustainability are increasingly relying on existing and new technologies, such as artificial intelligence (AI) and the Internet of Things (IoT). While this is good for staying competitive and uncovering revenue growth, it also presents more cyber risk and complicates the process of defending against threats.
The CISO’s responsibility is to secure digital fronts and assets and fortify cyber defenses. However, the CTO should closely collaborate with the CISO to mitigate the risks associated with new technologies while helping their organization tap into opportunities and benefits derived from new technologies. This approach requires emphasizing security as a fundamental aspect throughout the decision-making process. Consequently, preparing the cybersecurity unit to foresee risks and mitigate goes hand in hand with the new technology rollout and upgrades.
3. Deploying Security-First Technologies
Organizations are increasingly connecting their data and business systems to the internet to deliver value and grow revenue. This inherently exposes an organization to a multitude of threats and massive points of entry to defend.
Additionally, organizations need to combat insider threats from employees, partners and suppliers. The CTO can help prepare and enforce a governance framework that thoroughly validates technologies used in an organization and ensure that they take a security-first approach, where technologies and processes considered inherently less secure become obsolete within the organization.
For example, the CTO can start disallowing employees to use insecure email clients or protocols that don’t use multifactor authentication — or start requiring partners to meet a set of security standards to be qualified for business engagement.
4. Continually Evaluating The Organizational Technology Landscape
No matter how thoroughly an organization’s cyber defenses are fortified, weak links in the form of improperly maintained systems or irregular approaches to patching security fixes can pose the risk of undetected vulnerabilities and exploitation. The CTO should help continually identify tools and platforms used throughout the organization and evaluate whether the underlying maintenance and patching processes are relevant and robust against today’s cyber threats.
5. Embedding Security Into Processes And Operations
The CTO should help create a culture that prioritizes security as the responsibility of the whole organization instead of considering it a function of the IT department alone. This requires analyzing security risks at many different levels and engaging everyone in the organization about the necessity for following organizational security practices.
While the CISO holds an operational role in ensuring security for processes and operations, the CTO needs to help their CISO with executive approval and engagement programs that involve department managers from the beginning. This ensures that the respective leaders and senior managers understand the security imperative and offer cooperative support.
6. Vendor Management With Security As A Key Aspect
An organization today works with various vendors for its needs across business units and functions. The CTO is responsible for setting security standards that dictate how the organization chooses to work with or acquire tools from vendors. It’s imperative to restrict business units from collaborating with vendors that don’t meet the security and compliance requirements, such as their testing policy, bug bounty programs, responsible vulnerability disclosure policy, and the prioritization of security patches.
It’s also not uncommon to rely on open-source software or tools available for free, requiring a support contract for on-time response and prioritizing fixing issues that impact the organization. It’s necessary to explicitly review open-source usage in the organization and set up support contracts with open-source vendors or project maintainers to ensure that the organization is not exposed to external vulnerabilities.
The CTO’s Changing Role
Today, security has become an organization-wide imperative, not just the responsibility of the IT department. Accordingly, the CTO — as a technology leader of the organization — is tasked with the overall security governance while closely collaborating with the CISO and senior security professionals. And the CTO’s primary responsibility is to persuade the senior management to prioritize security as an organizational responsibility in making everybody observe security practices and processes as fundamental to the business and its cyber risk management.