by Esther Shein

Perfect strangers: How CIOs and CISOs can get along

Dec 16, 2020
CIOIT LeadershipSecurity

The rise of security as a strategic imperative has altered the relationship between IT and infosec leaders. Here’s how CIOs and CISOs can become better partners.

Shaking hands
Credit: rb2

A pandemic makes CIOs and CISOs strange bedfellows, and this year they have had to work together more closely than ever under unprecedented circumstances. The result? The state of the relationship has generally improved.

Organizations across the board have accelerated their digital initiatives and migrations to the cloud to support remote workers and customers in the past several months. This has “caused people’s risk appetites to shift very, very dramatically and it’s caused CIOs and CISOs to be even more locked at the hip,’’ says Jeffrey Wheatman, a Gartner Research vice president.

A symbiotic relationship is also needed now because “boards are now asking more and sometimes better questions about cybersecurity,’’ says Wheatman, “and that has resulted in CIOs and CISOs trying to at least have aligned stories or narratives.’’

CIOs and CISOs agree that the push to automate manual processes and capabilities to create efficiencies has necessitated working together more closely. “The CIO and CISO have to be so tightly coupled together in roadmap and strategy, regardless of reporting structure,’’ says Patricia Titus, chief privacy and information security officer at insurance company Markel.

Security is now strategic

This isn’t always the case when the CISO reports to the CIO. “Unfortunately, some CISOs struggle being under the CIO because, ultimately, some of things they find and need to fix will make it harder for the CIO to do their job,’’ Wheatman says. “I think the CISO wants to make sure data during movement shouldn’t be available to people who shouldn’t see it and [keep] the integrity of systems and security and compliance, so there’s a little bit of divergence about what the objectives are” between the two roles.

The good news, he says, is there is less conflict than there used to be and more synergies between the two roles, thanks to a recognition by business executives and stakeholders that they are increasingly dependent on technology.

The maturity of security as a discipline has also grown. “Security has now become viewed as more of a strategic initiative rather than people who say, ‘No, stop, don’t,’” Wheatman says. “We used to refer to that type of CISO as ‘Dr. No.’ We’re seeing less of that.”

When CIOs and CISOs see themselves more as partners and peers, that drives synergies, Wheatman adds. “As we see the convergence of operational technologies like IoT and cloud, there’s a recognition the two have to be more in lockstep, rather than CIO throwing things over the fence and saying, ‘You have to secure this thing we have implemented.’”

Evolution of the CIO-CISO relationship

Titus and Mike Scyphers, Markel’s CIO, have worked together for almost five years and have what could be characterized as the ideal work marriage — one of mutual respect and praise. Both speak deferentially about the other.

Patricia Titus, chief privacy and information security officer, Markel Markel

Patricia Titus, chief privacy and information security officer, Markel

Scyphers says that with the proliferation of consumer technology and the ability for business units to spin up their own cloud services, it’s very easy to get focused on innovation “without baking security in.” He calls his relationship with Titus “valuable” and says, “I can’t imagine [deploying technology] without that partnership.”

Titus originally worked in the IT department and Scyphers says he “fully endorsed” her moving out.

“Any time we have a conversation where there isn’t a healthy [discussion] of checks and balances, I get nervous. Having Patti say something is wrong, starts as being correct,’’ he says. “I’ll debate our different views but … when everything is in the IT organization, ultimately, I found myself on both sides of the ledger, and while you always try to do everything right, you have blind spots, and this helps you compensate.”

Scyphers says he’s adverse to playing “good cop, bad cop,” so when security concerns crop up, IT turns to the security team “to get a read on it. If they’ve got the answer, we don’t waste time on it.”

There has long been a perception that the CIO-CISO relationship is confrontational with one reporting to the other and taking a “you must do what I tell you’’ attitude, says Gary Hayslip, CISO at SoftBank Investment Advisers.

Earlier in his career, Hayslip was a CIO and transitioned into the CISO role and says he used to believe that CISOs shouldn’t report to CIOs. “The CISO’s job is managing risk using people, processes, and technology, whereas the CIO’s job is providing services. Those are very different views,’’ he explains. “We’re using the same resources, but we approach issues very differently.”

That said, the IT stack and security stack of technologies are intertwined, and that means both teams have to support the other, Hayslip adds.

Hayslip reports to Wil Bolivar, head of technology and information security at SoftBank, and says they are “really good friends.” He also reports to Softbank’s CFO. In prior roles, Hayslip says he’s reported to some “really good CIOs” and CISOs, and others with whom he’s had a contentious relationship.

“Sometimes you run into CISOs who can be very focused and almost in your face about security and risk, which doesn’t always work,’’ Hayslip says. “They’re very tactical CISOs and don’t play well with others and they think all the risk issues have to be handled now, now, now.”

Hayslip describes himself as a CISO who is both tactical and strategic. “I look at my job as a business executive who happens to do cybersecurity, and I have to work with my peers in other business units” and explain the value of security.

Gary Hayslip, CISO, SoftBank Investment Advisers SoftBank Investment Advisers

Gary Hayslip, CISO, SoftBank Investment Advisers

“The only way to make that happen is, I can’t be in their face; I have to understand how they work, what they need, who are their major customers and how can I support them,’’ Hayslip says. “I approach it that way and I get a lot more traction.”

If a CISO is strictly tactical, he adds, the business will “only put up with your crap so long before they kick you to the curb.”

Hayslip believes being tactical is a “maturity problem” when a CISO has only worked with small companies and is used to putting out fires and hasn’t had a chance to grow professionally.

Reporting structures

The reporting structure varies from company to company and can also differ by industry. For example, reporting to the CFO if you’re in financial services tends to make more sense, says Gartner’s Wheatman. CISOs who work in shipping, logistics, or retail most likely report to the COO.

“I take 600 calls a year, and probably 80 to 100 are on organizational structure, and the root question is, should the CISO report to CIO?” he says. In past research Wheatman has done, about one-third of CISO respondents said they are not part of IT, he says.

Cybersecurity is often moved out of IT when an organization recognizes that security is a business problem and not a tech problem, he says. “When it’s part of the CIO’s [purview] … everyone assumes [security is] a tech problem. There are tools involved and yes, technology, but cybersecurity is operational technology.” The focus is on supporting the business processes and legal and regulatory requirements, Wheatman says. “None of those are the CIO’s or tech’s problems.”

In the 14 years Wheatman has been with Gartner, data from the firm’s security conferences have shown that about 35% of people who report themselves as head of security for an organization don’t report to IT, he says. “It’s flatlined now.”

Brennan Baybeck, vice president and CISO for customer services at Oracle, reports to the head of a business line, but says he reported to the CIO for seven years and had a positive experience.

“I was fortunate to work with a CIO who was progressive, understood the importance of security and was a huge advocate for it,’’ says Baybeck, who is also board director of the IT governance organization ISACA. Baybeck says he was able to articulate and demonstrate to the CIO the importance of security to the company’s strategy, both from a business and IT perspective. He did that “by continuously reporting to the CIO, educating him and keeping him aware of how security was enabling our business, and understanding security posture, risks, and vulnerabilities.”

Brennan Baybeck, vice president and CISO, Oracle Oracle

Brennan Baybeck, vice president and CISO, Oracle

Baybeck says he took the initiative to meet with the CIO on a regular basis, not just about security, but to share ideas for how to make IT more efficient and effective through security services.

“He elevated me to his leadership team, which meant that I was not only able to advise executives on security, but also make sure that security was embedded and relative to the business and IT strategies,’’ he says. “Additionally, I was able to provide value to the IT team.”

Advancing security took about 75% of Baybeck’s time and he used the other 25% to work at obtaining additional resources. “For many of my peers, that equation is flipped and they spend the majority of their time fighting for and justifying resources.”

Hayslip believes it’s a good thing for a CISO not to report to a CIO. That way, “risk is more visible and the organization is able to, from a strategic standpoint, understand where things will be managed,” he says.

In that that type of environment, the CIO and CISO should be peers and still meeting on a weekly basis, he says.

The pandemic effect

The pandemic has certainly fostered having one another’s backs as IT scrambled to enable remote work and security teams worked to ensure employees were authenticated when tapping into the network remotely and that data remains secure. “If your [security team] is doing that without the support of IT in the pandemic environment we’re in right now you’re crazy,’’ Hayslip says.

The network edge has moved into the home, he notes. “I have 680 networks to worry about because I have 680 employees instead of one network,’’ Hayslip says.

Although Clemson University Vice President and CIO Russell Kaurloto had a good working relationship with CISO Hal Stone prior to the pandemic, he agrees that COVID-19 has “solidified it and brought closer how we share information and communicate more effectively.”

Clemson had roughly 1,800 students working online remotely and that number jumped to around 26,000 along with 4,000 faculty and staff in March. “I talk to my CISO weekly, one on one, but he’s also involved in a daily COVID call where we go through systematically what’s going on,’’ Kaurloto says.

Tips for CIO-CISO harmony

Echoing Hayslip, Wheatman says that with the uptick in digital business, it’s counterproductive for a CISO to wag their finger at the CIO and say, “You need to do what I say or else. It’s more about, ‘We need to work together to solve a problem that the board or COO, or CEO or CFO says is important.’ It’s growing over time.”

For example, Wheatman worked with a CISO at a midsize financial credit union to build a deck for his audit committee. They constructed his narrative, starting with the business objectives and then the steps the CISO would take to build his cybersecurity program. “The CIO got ahold of it and said, ‘We have to talk to the board about threats and technology, and I’ve talked to boards and they’re not interested in that and they don’t understand what the takeaway is,’” Wheatman recalls.

They ended up having to do a joint call with the CIO to say, “Look, this is why this message won’t be constructive,’’ he says. While Wheatman doesn’t know what the outcome was, “those [scenarios] are still common. It should be less than 5% and it’s probably 20% to 25% of the time that those issues come up.”

Wheatman tells security leaders that they need to figure out how to tell their story — not just to their own boss — but through them to their boss’ boss.

“Often, we get lost in technology and end up talking about tech for tech’s stake and not enough about the business value, revenue, culture, and risk management,” he says.

CISOs need to come up with a common set of terms of reference, he says. “We use words like ‘cybersecurity’ and ‘threats’ and ‘vulnerabilities’ and ‘risk.’ And we use them inconsistently, so we need to communicate a frame of reference in a consistent manner.”

They also need to make sure they’re aligned with the business objectives. “That sounds patently obvious, but in a lot of cases, it’s not,’’ Wheatman says. “CIOs tend to be more mature and they need to help the CISO elevate their messaging to get to that higher level of maturity.” They need to be aligned even if they are not in agreement on everything, he stresses. “They need to have same long-term vision, and that’s not always the case.”

The biggest cause of friction is about budget, notes Hayslip. A CIO will be told they need to cut their budget while the CISO is focused on trying to build out a cybersecurity program and manage risk, he says.

“Nine out of 10 times that’s where the priorities differ.” Hayslip says he’s found that if the lines of communication stay open and the CIO and CISO meet weekly, even if it’s just for a half hour to fill each other in, both sides will learn a lot.

“The CIO will give you insight on politics so you have good insights on the company’s problems or how the business is shifting,” he says. That way, they can put their heads together to figure out where they can derive savings.

If the CIO and CISO are talking to each other, there are no surprises, he says. “I’ve found when we do that we work extremely well together.”

Baybeck agrees that nurturing relationships and building partnerships is key. “A CISO should strive to be considered a trusted advisor to the CIO, to the point where they are anticipating their needs and informing them of issues or opportunities they may not even be thinking about in relation to security risks.”

All the CIOs and CISOs agree that mutual respect is perhaps the most important ingredient in the relationship.

“Right from the start, there has to be mutual understanding of … what we’re trying to achieve and maintain on a daily basis,’’ says Clemson’s Kaurloto. “That’s key. The second thing is to build a close relationship of mutual respect. You’re not always going to come to the same result and you won’t always be in unison. But with mutual respect you’ll find that common ground.”

There also needs to be full transparency, he adds. “If it comes across that you’re not walking the walk you won’t be able to gain the respect and understanding of your CISO. Your CISO is part of your overall success. If you don’t have a good relationship and true transparency you will constantly have friction.”

Markel’s Scyphers says that he and Titus focus on business outcomes rather than a security or IT problem. “We both bring our disciplines to support that. Patti is the consummate professional … I encourage that trust to be there. It’s critical.”

For her part, Titus says it’s important to challenge each other, “and when you come out you have a concerted front. You solve your problems behind closed doors.”

“It’s important to focus on the partnership” and both sides may need to make concessions to get to that common goal, she says.

“We may deviate a little on how we get there,” Titus says, “but at the end of the day, we’re going to cross the finish line together.”

Just like in any good marriage.