C-Suite Relationships: The CIO-CISO Partnership
Believe it or not, IT’s role in the enterprise is not to make other functions happy — even though IT provides technology to help business teams meet their goals. Similarly, Marketing, Sales, or Finance are not here to help IT meet its goals, even though all are required to practice disciplined information security.
We’re all here to serve a goal greater than our specific functional responsibility. And to do that, the CIO must have solid relationships across the enterprise that serve as the input of every business achievement, not the output.
With that in mind, let’s take a look at one of the most critical relationships that today’s pivotal CIO can form — the one with the CISO. Their collaboration includes key outputs of enabling innovation, without compromising data security and securing sensitive information while encouraging innovation.
Security can’t compete with innovation
A common theme in technology is the friction caused by competing priorities between IT and Information Security. Regardless of where the chief information security officer reports in an organization, the relationship and ability to integrate Security into innovation is critical.
Informatica CISO Roger Hale reports to me, and that works at Informatica. CISOs who report outside of IT often are only responsible for identifying problems, or they build large security operations teams that can be redundant to IT. This can create unnecessary competing priorities, additional operational costs to the company, and security gaps that can easily turn into chasms.
A large share of security problems are operational problems, like patching or asset management. That requires security and operations to work together — which isn’t going to happen if they have competing priorities. When the CISO reports vulnerability risks that the overcommitted IT VP doesn’t have the time or resources to address, it can create security debt that must be paid at some point. This conflict can put security and innovation in direct competition, and neither wins.
The solution is to have both roles aligned to enabling innovation. As Informatica’s CIO, I oversee both IT ops and information security; balancing investments across both functions to ensure equal attention to spotting problems and resolving them. This balance is foundational and must be the CIO’s priority even in organizations where the CISO reports somewhere other than IT.
The CISO’s role: Prioritizing risk
The CISO’s responsibility isn’t to identify risk, but to reduce it and, where possible, eliminate it — a role that’s not just active but proactive.
Consider the Wannacry attack that happened last May, a day before Informatica World. When I arrived at the event, our CEO and our head of sales both asked me why we didn’t get hit. They seemed almost offended, as if they were afraid we weren’t important enough to be targeted — which gave me the perfect opening to explain that we’d already remediated against the problem. (The day the attack was announced, we were patched at 96 percent, and we’d already updated our firewall to block the exploit link, if someone did click on it.) If we had been equally focused on some less significant vulnerability, I told them, we might not have gotten to this crucial one.
It happens all the time; companies are hacked because they simply haven’t gotten around to applying a security patch they already have for a known vulnerability. It’s not (always) a sign of incompetence. More often than not, it’s because IT’s capacity is limited, innovation projects are demanding immediate attention, and the CIO has to balance the risk between focusing on those projects or scheduling two weekends of downtime to apply the latest patch set.
An experienced CISO understands how to prioritize risks and work with the CIO to roll out the right fixes at the right time — protecting the company by working together. That’s what makes the relationship between the two so important.
Roger’s first task as Informatica’s CISO was the same as mine as CIO: to build relationships — particularly by establishing the crucial rapport within the IT organization with the VP of Operations — by taking the time to learn how things work. He spent time with our previous CISO, Bill Burns, who’s now based in R&D as our chief trust officer, and familiarized himself with the privacy and general risk initiatives within our legal organization.
Roger is a pragmatic doer, not a detached theorizer. Like me, he needs to be seen not just as providing an oversight function, but as a business partner. This was an essential requirement for the role, because the CISO job presents a unique personal challenge for me: It’s the only job on my staff that I haven’t done myself, so like many CIOs, I rely on the CISO’s perspective.
I cannot overstate the importance and necessity of a collaborative, problem-solving relationship between CIO and CISO for any enterprise that wants to remain secure and keep innovating.
That wraps up these snapshots of CIO relationships for now — though I’m happy to tackle other dynamics if anyone’s got a particular interest in mind. Let me know your ideas — and your thoughts on the CIO-CISO partnership — in the comments, or find me on Twitter.