Sergey Nivens - Stock.Adobe.com

Why organisations need to harmonise their CIO and CISO roles

Unless properly managed, conflicting responsibilities between the chief information officer and the chief information security officer can cause project delays and budget overruns, says Netskope’s Mike Anderson

The chief information officer (CIO) is a corporate executive in charge of IT strategy and implementation in an organisation. Conversely, the chief information security officer (CISO) is a senior-level executive responsible for developing and implementing the information security programme.

The inherent philosophies behind these two roles are diametrically opposed to each other. One is responsible for the sharing of information in an organisation, while the other controls access to it.

The conflict between these two roles can be exacerbated by the internal structure of the organisation, as the CISO typically reports to the CIO and draws upon the same budget. “It’s important when you’re planning for the year to make sure that ‘priority one’ for one team is not ‘priority three’ for the other, but that it’s ‘priority one’ for both teams,” says Mike Anderson, global CIO and chief digital officer at NetSkope.

Although the CISO typically reports to the CIO, it is not unheard of for the inverse to be the case, where the CISO oversees the CIO’s operations. This can be found in organisations where the need for information control and security is paramount, such as defence and critical infrastructure.

“I was talking to a CISO, and their CIO has taken the network organisation and said ‘You own the network now, because we have to make sure we have security of information’,” says Anderson. “He’s actually moved the network team under the CISO in his organisation.”

One of the core sources of friction between the two roles is in regard to their budgetary needs. As they both come under the same division, and one reports to the other, the budget of one often incorporates the budget of another, despite having inherently different needs. Hence, budget that was intended to fund one resource may be siphoned to meet the demands of another, leading to conflict.

“Where you tend to see some of the friction is when there’s not a good alignment around how they are paying for the security transformation work that they’re going to do as an organisation,” he says. “If you’re trying to pull it out of the infrastructure budget, that’s going to naturally create friction.”

Objective alignments

The friction between CISOs and CIOs tends to stem from a lack of joined-up-thinking. Not having a unified approach to organisational management means that all too often department heads will pursue their own goals, without considering the wider organisational impact or how they can achieve their departmental objects with a more cohesive approach.

Aligning objectives at every level – from individuals and teams up to executive management – with those of the overarching top-level goals of the organisation can promote internal cohesion. For example, a top-level goal of expanding into new markets might become a goal of enabling global information flow for the CIO, while the CISO would become focused on securing global flows of information. With everyone working towards the same overarching organisational goals, conflict is reduced and efficiency is improved.

Reducing departmental boundaries in an organisation, as well as promoting holistic and multi-faceted methodologies, will enable joined-up thinking. Encouraging departments to communicate with each other and coordinate their projects can reduce some of the inter-departmental friction between the two roles.

“Where I’ve seen roles being successful is where they break down the organisational silos and organised a cross-functional team,” says Anderson. “If you’ve got an outcome you’re trying to drive, put [in place] dedicated people from networking, security and the endpoint teams, to have a cross-functional team working towards that outcome.

“If it’s bigger than a single team, then break it up into a team of teams to focus on that outcome,” he says. “That way, you don’t have someone being pulled off working on that project to do something else because it’s a higher priority.”

Defined budgetary allocations

A clearly defined budget programme, that dedicates funds for specific projects or goals, would also enable CIOs and CISOs to better manage their resources. With an explicit understanding of the financial year’s budgetary expectations, it would allow both roles to fully appreciate the resources that are available to them and what they are expected to be used for. 

However, for this approach to be effective, both the CIO and the CISO should be involved in the budget meetings. The insight offered by their involvement will ensure that the assigned budget for the coming financial year is developed with a complete understanding of the financial requirements.

All too often, budgets are allocated without a complete understanding of the financial necessities for departments. For example, resources could be allocated for new systems and software without appreciating the need for budget to be set aside for maintenance and licensing.

Read more from the Security Interviews series

From the outset, the role of the CISO should be clearly defined and communicated in the organisation. There needs to be an organisation-wide understanding of the CISO’s responsibilities, as well as the nature of their reporting structure.

A CISO should be only responsible for either governance and auditing, or implementation and operations. They should never be responsible for both – if that were the case, the CISO would be responsible for auditing themselves, which could lead to subconscious bias and inadequate oversight of information security. The CISO should either provide oversight and auditing of security operations, which are undertaken by a team that reports to them, or they and their team should implement and operate information security, with oversight provided by a senior role, such as the CIO.

“Generally, the CISO tends to be more of a governance and policy role, otherwise you have the analogy of a fox guarding the hen house. If your job is governance and policy and you’re also the person responsible for controlling those buttons, then who’s auditing you?” says Anderson. “We’ve seen what happens when you have to self-report, as you tend to hide some of the things that look bad on you.”

Security by design

All too often, security is considered independent of the wider organisation; something that is seen as a business necessity rather than a core part of product development. Embedding security by design in a product or service makes the CISO a vital role in an organisation, while also being a dedicated feature that organisations can offer.

“If people align well, they can get something done,” says Anderson. “We had an organisation that rolled out our technology, because they were aligned, in 90 days for 125,000 people globally. At the same time, I’ve seen 5,000-person organisations where they don’t align well, and it’s 18 months later and they are not fully deployed yet, because they can’t get out of their own way.”

One such method for aligning security considerations could be through embedding them into the overarching business strategy for organisations. Instead of considering information security as simply a legislative requirement, polices can be embedded in the foundations of an organisation, such that security considerations are weighted equally alongside other business needs.

“If they don’t talk security by design or how they’re going to instrument things, then what happens is security becomes a roadblock at the end that keeps things from being released,” he says. “It becomes a blocker versus a partner.”

The financial impact of investing in new technologies can also be mitigated by aligning them with employee training and using some of the professional development budget. This will ease some of the budgetary pressure between the CIO and CISO roles, thereby reducing conflict.

“The way we traditionally did networking, with hub and spoke architectures, a lot of that can go away in favour of more cloud, so that presents opportunities,” says Anderson. “You can solve some of the budget problems and at the same time you can be upscaling your talent.”

Conclusion

It is entirely possible, as the need for information security becomes ever more prevalent, that the CIO and CISO roles will become a single role. “I do see some homogenisation, just as we saw the rise of the chief digital officer,” says Anderson.

“The CIO role is for infrastructure, but it’s also responsible for CRM, apps and ecommerce inside my organisation. I see a trend, where we may see an evolution of roles, and maybe it’s the blend of the CISO continuing to be more governance and policy, and my infrastructure leaders starting to take more ownership on security to eliminate some of the infighting that occurs in organisations.”

Until then, to mitigate potential conflict between the CISO and CIO, there needs to be a breaking down of departmental silos to foster collaborative thinking and embrace a unified approach to achieving common goals.

“A lot of the CISOs that have done well refer to their infrastructure leader as the person they are most closely connected with,” he concludes. “Without them working in concert, they cannot achieve the outcomes they want to accomplish.”

Read more on Security policy and user awareness