There is natural tension between the role of the chief information officer (CIO) and that of the chief information security officer (CISO). While the CIO looks to better leverage and implement new services, the CISO aims to find security risks in why certain services should not be used.
This is actually a complementary tension that should result in a healthy decision-making process that balances need with risk, but in practice, friction is often unavoidable. Security initiatives and solutions add complexity, overhead, and friction to architectures that some believe are already too complex. Access procedures and slow performance caused by security measures often frustrate employees and the very IT organizations looking to deliver seamless capabilities to those employees.
How to develop an effective CIO/CISO relationship
Today, risk management and security are top of mind at every level of the enterprise, from individual contributors to board members. We all know a security breach can be catastrophic to a business and its reputation, with the average cost per incident in the United States estimated at over $8 million. Given this reality, employees using IT services and the CIOs who are responsible for those services must be supportive of security measures.
[ What’s next for the CIO role? Read CIO role: Everything you need to know about today’s Chief Information Officers. ]
Here are five tips on how to change the traditionally contentious CIO/CISO relationship into a more collaborative and effective one.
1. Identify common goals
This goes beyond generalities on compliance and data security. The CIO/CISO should identify common goals to the level of specific initiatives. Here’s an example: Most CIOs and CISOs would agree that reducing complexity is a worthy goal. One approach to this is building security into applications during development from the ground up, rather than trying to add later or by buying third-party solutions to defend them. This approach can lead to better security with fewer security products and less complexity. By collaborating to implement a built-in/not tacked-on strategy, both the CIO and CISO can meet their goals.
[ More IT organizations are baking security into the development process from the start. Read also: Security 2020: 4 trends to watch. ]
2. Share in the articulation for risk acceptance
The CIO and CISO need to work together as equals, and both need access to the CEO and the board. This is especially true when a potential high-risk approval is required, as due to the conflicting priorities of the two roles, the decision can require higher purview. Before taking the ask to the CEO and/or board, the CIO and CISO should align and clearly articulate all data for a risk-based decision. Ultimately, it is the CISO’s job to identify the level of risk that needs to be accepted or denied by the approver – whether a business owner, the CEO, or the board.
3. Establish clear areas of responsibility
Agreeing on exactly who is responsible for what is one of the surest ways to avoid friction in every area of a business, and having a clear decision-making framework, like DACI, defined between the IT and security teams is no exception. For example, most network security decisions will have implications beyond security, such as access steps and user response times. It can make sense to make decisions based on an executive’s area of expertise, but it is extremely important to have a clear understanding of who owns the final decision to move forward or not.
4. Take a quantitative approach to risk management
Not all risks are created equal. When services and applications are competing for security resources, it makes sense to quantify as much of the potential risk and probability of occurrence. For example, if an engineering group can’t work for X hours due to a ransomware attack, the value of those lost hours can be calculated as significantly more hours/higher cost than an investment to reduce incident risk. This data-based approach can lend a measure of rationality to the debate over security resources.
5. Work on the personal relationship
Many CIOs and CISOs have had years of technical and leadership experience and can often look at their role from their lens alone. But the type of decisions that they make go beyond technical considerations, and so does the working relationship. The CIO and the CISO should reach a point where they are aligned on the respective charter of their groups, and also work to develop strong professional working chemistry.
Conflicting points of view and natural tension between roles are an important part of business and should not prevent leaders such as CIOs and CISOs from working collaboratively to solve problems and meet business goals.
[ Culture change is the hardest part of digital transformation. Get the digital transformation eBook: Teaching an elephant to dance. ]