CISOs are from Mars, CIOs are from Venus

   I recently had the opportunity to speak at the Argyle CIO Leadership Forum in Chicago.  I sat on a couple of panels and had some fun delivering a talk called "CISOs are from Mars, CIOs are from Venus" (slideshare).
   There was a clear theme of cloud, mobile and BYOD.  There were both CIOs and CISOs in attendance so there were different perspectives on these challenges.  That certainly tied into my closing keynote.

   After the conference I was interviewed by the conference organizer.  The interview will be posted on the conference website, but here is a copy:

• What are the two different worlds that CISOs and CIOs are living on right now? 

Of course, the title of the talk was a play on the book title from John Gray.  But the allusion works because CISOs and CIOs have often followed different career paths to get to their senior-level positions.  While there are plenty of exceptions, many CIOs have a technical project- or product-management, business or financial background.  CISOs tend to have followed a “geekier” path, with previous positions as programmers, firewall administrators or security engineers.  In addition, IT and Security have different mandates – IT must innovate and operate; Security must inspect, block and protect.  For example, in new product/project delivery, the CIO wants to deliver an innovative product on-time and on-budget.  The CISO wants to slow things down to assure appropriate controls are built into the design, programmed in and tested.  This can create a fundamental divide.

• What are examples of the different languages that they both use?

Words matter.  An often used security term is “Threat”.  CISOs speak of threat management as a fundamental part of the security program.  Threats can be from software – viruses and malware; actors – cyber thieves or attackers, or; physical/natural causes – power or weather.  The CIO considers project or organizational threats including budget, resources, and outsourcing.  One of my favorite misused words is “Risk”.  I’d like to declare a new law that we don’t use the word risk without a qualifier such as: project, security, regulatory, etc.  Some of the key IT risks include project risk, resource risk and budget risk.  In Security, we often use the traditional security risk calculation multiplying the likelihood of an event occurring, with a measurement of the impact to the infrastructure or organization should it occur.  One “risk” about which both CISO and CIO often agree is the organizational and career risk of a breach of data.

• How do CISOs and CIOs meet in the middle to make better business decisions?

How does that saying go? – The first step in solving a problem is to recognize that there is a problem.  Regardless of reporting structure, the CIO and CISO need to be strategic partners.  While their specific mandates might differ, the key here is to align with the overall organization mission and strategies.  Most organizations have a mission and mandate to provide quality service to customers.  Most boards have a mission and mandate to increase shareholder value and preserve the organization reputation.  None of these can happen if IT does not quickly and efficiently deliver quality services, or if products or infrastructure have security vulnerabilities or if there is a data breach.

• What are some key opportunities for the two to collaborate?

There are many!  Mobile/Social/Cloud/BYOD are different aspects of the radical paradigm shift in IT services – not only in how the services can be delivered but also in the expectations of the end users.  This is a fantastic opportunity for the CISO and CIO to anticipate need, drive standards, align with legal/audit, and provide strategic solutions.  I know that these services can be delivered with appropriate controls.  I also know that any IT organization not embracing these technologies can be sure that the rest of their company has already done so. 

Another key opportunity is in the area of Third-party risk management.  Along with mobile/cloud, this may be one of our greatest threats for improper data disclosure or other infrastructure breach.  Vendor management is a difficult challenge as we must partner to control not only data sharing but also third-party remote access to systems and infrastructure. 

My final example is the project/product lifecycle.  Key activities include defining design and secure coding practices, system standards and simple security requirements.  By partnering with IT and coming to the table early, we can help guide the business to a solution that meets its needs, meets standards and will be both safer and delivered on time.

• Is there anything else you would like to add?

Yes.  The bottom line is that Security and IT need to be service organizations.  They need to align to meet the needs of the business.  This won’t happen if they are pulling in different directions.  The CISO and CIO need to actively seek collaboration opportunities.  Otherwise, the business will find another way to accomplish its goals.

    What are your thoughts?  Are you an IT or Security professional?  Do you feel that your IT and Security organizations are aligned?  What are you doing to create alignment and meet business need?