[BreachExchange] 5 rules for a healthy CIO-CISO relationship

[Destry Winant]

https://enterprisersproject.com/article/2020/2/cio-ciso-relationship-5-tips

There is natural tension between the role of the chief information
officer (CIO) and that of the chief information security officer
(CISO). While the CIO looks to better leverage and implement new
services, the CISO aims to find security risks in why certain services
should not be used.

This is actually a complementary tension that should result in a
healthy decision-making process that balances need with risk, but in
practice, friction is often unavoidable. Security initiatives and
solutions add complexity, overhead, and friction to architectures that
some believe are already too complex. Access procedures and slow
performance caused by security measures often frustrate employees and
the very IT organizations looking to deliver seamless capabilities to
those employees.

How to develop an effective CIO/CISO relationship

Today, risk management and security are top of mind at every level of
the enterprise, from individual contributors to board members. We all
know a security breach can be catastrophic to a business and its
reputation, with the average cost per incident in the United States
estimated at over $8 million. Given this reality, employees using IT
services and the CIOs who are responsible for those services must be
supportive of security measures.

Here are five tips on how to change the traditionally contentious
CIO/CISO relationship into a more collaborative and effective one.

1. Identify common goals

This goes beyond generalities on compliance and data security. The
CIO/CISO should identify common goals to the level of specific
initiatives. Here’s an example: Most CIOs and CISOs would agree that
reducing complexity is a worthy goal. One approach to this is building
security into applications during development from the ground up,
rather than trying to add later or by buying third-party solutions to
defend them. This approach can lead to better security with fewer
security products and less complexity. By collaborating to implement a
built-in/not tacked-on strategy, both the CIO and CISO can meet their
goals.

2. Share in the articulation for risk acceptance

The CIO and CISO need to work together as equals, and both need access
to the CEO and the board. This is especially true when a potential
high-risk approval is required, as due to the conflicting priorities
of the two roles, the decision can require higher purview. Before
taking the ask to the CEO and/or board, the CIO and CISO should align
and clearly articulate all data for a risk-based decision. Ultimately,
it is the CISO’s job to identify the level of risk that needs to be
accepted or denied by the approver – whether a business owner, the
CEO, or the board.

Agreeing on exactly who is responsible for what is one of the surest
ways to avoid friction in every area of a business.

3. Establish clear areas of responsibility

Agreeing on exactly who is responsible for what is one of the surest
ways to avoid friction in every area of a business, and having a clear
decision-making framework, like DACI, defined between the IT and
security teams is no exception. For example, most network security
decisions will have implications beyond security, such as access steps
and user response times. It can make sense to make decisions based on
an executive’s area of expertise, but it is extremely important to
have a clear understanding of who owns the final decision to move
forward or not.

4. Take a quantitative approach to risk management

Not all risks are created equal. When services and applications are
competing for security resources, it makes sense to quantify as much
of the potential risk and probability of occurrence. For example, if
an engineering group can’t work for X hours due to a ransomware
attack, the value of those lost hours can be calculated as
significantly more hours/higher cost than an investment to reduce
incident risk. This data-based approach can lend a measure of
rationality to the debate over security resources.

5. Work on the personal relationship

Many CIOs and CISOs have had years of technical and leadership
experience and can often look at their role from their lens alone. But
the type of decisions that they make go beyond technical
considerations, and so does the working relationship. The CIO and the
CISO should reach a point where they are aligned on the respective
charter of their groups, and also work to develop strong professional
working chemistry.


Conflicting points of view and natural tension between roles are an
important part of business and should not prevent leaders such as CIOs
and CISOs from working collaboratively to solve problems and meet
business goals.