Yes, the CISO, CIO, and CTO can be friends!
It always has amazed me to see, read, and hear stories of Chief Executive Officers (CEOs) and other executives becoming very concerned that the Chief Information Security Officer (CISO) had become a close colleague of the Chief Information Officer (CIO) and/or the Chief Technology Officer (CTO). Why wouldn't you want a great working relationship? The CIO typically works on the business management side of the organization and is more internally and operationally focused. The CTO typically focuses on more long-term issues and new technology integration. The CISO typically monitors and analyzes potential security risks for the organization. The CISO has historical more times than not, reported into the CIO or CTO. True that when looking at the confidentiality-integrity-availability (CIA Triad) the CIO and CTO are normally more focused on availability than confidentiality and integrity. That is why the relationship between the CISO and CIO/CTO is so important. Together they create balance in the CIA Triad as too much in any one of those areas singularly would cause the three-legged stool not to be balanced and tip over.
What, then, can the CISO, CIO and/or CTO do to create harmony in the office? First, they can create a united front in the boardroom with all sharing an equal voice, ensuring it is understood. The CISO will talk more about data privacy, security, threats, and tools and personnel that is needed. The CIO will come from the "Land of Budgets" and "Business Needs." They should strive to meet in the middle and speak each other's language. Showing a united front in the boardroom can help calm the chaos. And, shift the tide.
Remember that financial services, healthcare, Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPAA) breaches, hacks and cyber-attacks affect everyone. They're not just problems for CISOs.
Ask each other, what problems/challenges am I causing you? What can I do to better communicate my concerns and project needs? Commit to being partners in resolving the corporate problems/challenges.
Now I know that some are thinking at this point that this all seems like a bed of roses. I know, like many of you, I have seen and heard many stories from my peers where they have not been as fortunate. Normally, that stemmed from insecure CEOs or other executive leaders that led a dysfunctional executive team. The CEO or other senior leaders may have subjected people to "bullying" at work. While the corporate bully may not look or acts like the playground thug, the victim’s response in either case is to hunker down and get out of the way. The executive bully uses fear or the threat of humiliation to silence critics or contrarian voices.
Create a united front in the boardroom with all sharing an equal voice
In a corporate setting, that adds up to lost opportunity. Employees’ voices go unheard. Product defects are covered up; unethical practices continue unchecked; untenable financial risks are ignored; brilliant ideas never see the light of day. People are intimidated into keeping quiet.
The bullies may "shoot the messenger," and punish those who deliver unwanted news. More common, however, is for "executive bullies" to flaunt their power by summarily dismissing ideas or warnings they don’t want to hear.
Having an open, collaborative environment where executives are approachable, listen to their peers and employees, are healthier and those companies flourish. Where that is not happening, the CISO, CIO and/or CTO need to display even more of a united front.
The CTO takes on new technologies keeping the organization’s competitive edge, the CIO takes on operational IT requirements that keep the organization running, and the CISO takes on the ever increasing security risks an organization faces as it embarks on new ways to store their company’s precious data and information.
To Do List:
• Communicate regularly
• Be respectful of each position and its responsibilities
• Be ingrained in the business
• Avoid spreading fear without solutions
• Be immersed with the new technology
• Know the ever-changing threat landscape.
• Learn to accept and embrace manageable risk
• Learn to protect data while enabling the business to run
• Know your scope, and your boundaries
• Be clear on the priorities
There is industry consensus that the relationship can, and often does, work. In my career, I have been fortunate to have a great working relationship with Emilia Sherifova (CTO, LearnVest; Head of Enterprise Architecture and CX/PX Engineering, Northwestern Mutual) and Mason Dansie (CIO, Matrix Medical Network). One of the main reasons I believe that we were able to quickly sync is that, besides having a strong business, legal, governance, compliance, risk, and regulations background. I am a security person who comes from a technical background, having been a developer, database administrator, and code validation engineer, among other roles. I've done all those "geeky" things. Like them, I want to fix things. We have strong business and strategic backgrounds. And like me, they are committed to excellence. It has been a pleasure to know them and work alongside them over the years. I hope that you will be fortunate to have successfully working relationships as I have. The key is PARTNERSHIP.