The digital transformation of the maritime and logistics sector is disrupting old business models. As a result, Information Technology has become an indispensable function in the corporate office. But when it comes to cybersecurity, we note a common arrangement across many companies, where it is perceived, and remains, the responsibility of the IT function.

But is tasking network specialists and system administrators with accountability on the company’s risk management, cybersecurity, and compliance the prudent thing to do? To maritime business leaders who argue, “What could be more natural than putting IT in charge of cybersecurity? here is our response.

On the other hand, the cybersecurity key role is to find risks and address them. A Chief Information Security Officer (CISO) or an equivalent role looks for potential problems in the firm’s operations and technologies. A CISO’s performance evaluation starts with how well they point out threats and risks. The business then has to decide on its risk appetite: what level of risk the firm considers appropriate to carry, subject to budget considerations. Then the cybersecurity develops strategies and implements controls to reduce residual risk to the accepted level, by guiding the IT team accordingly.

We claim that such tensions and conflicts, if managed properly, are positive and contributing to the cyber resilience of the company. Consider a familiar storyline. Employees wish to work from home, and the business agrees. But security stresses potential risks and imposes limitations: virtual private network (VPN) tokens, 2FAs [LINK TO our PREV.] to connect and authenticate to some business applications while blocking remote connections to other databases or software. Mitigating potential risks often introduces some cumbersomeness to the digital processes, which triggers co- ZK CyberStar Page 2 of 3 workers’ defiance. “Hey! Everything was fine!” Moreover, there is no end in sight: the cybersecurity role could disrupt and limit the IT repeatedly, as technologies and threat actors evolve. The cybersecurity “forensic squad” probes the company’s IT, digs up more vulnerabilities, and demands further changes and resources to mitigate risks.

Furthermore, when a security issue is discovered, be it through the CISO’s proactive work or after the damage is done, the IT staff will tend to be defensive about it. After all, a breach implies that IT erred in their preferences, plans, or execution. The IT department is financially invested in the existing architecture and products; the CIO and IT staff may be personally committed. All feed opposition to the frequent changes that security personnel request.

Limiting functionality of applications, suppressing worker productivity and business effectiveness to prevent hypothetical risks is hardly an easy proposition. Cybersecurity activities do not generate revenue, consume resources, and security controls often hamper usability and performance – the exact opposite to what IT department holds dear. The CISO will be hard-pressed to contest the CIO, if the latter is higher in the organizational chart. When the tensions escalate for senior desioin-makers resolution, security is almost destined to lose. First, revenue-generating IT projects will trump security workloads in a competition for resources. Second, any demand to bolster security changes means additional IT workloads, delaying the delivery of core IT projects. Third, the IT department also enjoys the advantage of technical expertise when debating the magnitude of cyber risks. Most non-technical business leaders feel ill- prepared to defy it. These are just three reasons that demonstrate inevitable structural tensions between IT and security.

Fortunately, there is a way to channel these tensions to contribute to your busines’s resilience.

Numerous maritime and logistics services firms, especially the smaller ones, suffer from three difficulties: nascent awareness, institutional legacy and budget shortages.

Since many marine and logistics businesses have only recently embarked on their digital transformation journey, cybersecurity awareness is naturally nascent. The constant news stream covering cyber harms [LINK TO our PREV.] in the broad economy and the sector might help build awareness. However, designated table-top exercises and training have proven their effectiveness in boosting cyber awareness and maturity.

Most SMBs lack budgets. Costs savings support the default organization: offloading security to the IT person or department. This prevailing organization in the maritime and logistics services sector also reflects historical legacies: as the IT staff possessed capabilities to address cybersecurity, IT departments have accustomed to perform cybersecurity-related tasks. Either way, it is inadequate. As direct experience and empirical evidence amassed, most cyber-mature organizations have long separated security from IT. Among the organizations surveyed for the IDG 2020 Security Priorities report, just 1 in 3 CISOs (or equivalent cybersecurity roles) report to the Chief of IT.

Where a CISO position has been established, staffing it is difficult: growing demand exceeds supply. Fortunately, market innovations have produced a CISO-as-a-Service business model: offer similar value for 1/3 the cost of a permanent employee. Economies of scale mean that even small businesses can afford an on-demand virtual CISO (vCISO). The typical vCISO has a wealth of tactical and strategic experience with various scenarios, risks, and best practices. This experience facilitates the vCISO’s interaction with the corporate functions, key stakeholders, and regulators. Thus a CISO- as-a-Service can efficiently design a better security strategy for your firm. Managed Security Service Providers (MSSPs) can often implement much of the strategy’s solutions effectively, without the need to directly employ specialists.

1. If a functioning IT is critical to your business’s survival, appoint a dedicated person in charge of cybersecurity.
2. Consider contracting a “CISO as a service” or an independent security consultant where the business does not justify an FTE.
3. Consider positioning the CISO to report directly to the CEO.
4. Do not assign responsibility for cybersecurity to IT. Cybersecurity is a distinct profession. Moreover, despite some overlaps, the relationship between the IT department and security is governed by structural tensions. If a functioning IT is critical to your business’s survival, your security leader had better report directly to top management, not the CIO.