[BreachExchange] Why Do So Few CISOs Become CIOs?

Mon Oct 19 10:33:24 EDT 2020

https://www.forbes.com/sites/peterhigh/2020/10/19/why-do-so-few-cisos-become-cios/#7f842129362c

Very few chief information security officers have risen to the ranks
of chief information officers. On the one hand, it would seem like a
logical progression. CISOs historically have reported to CIOs. The
importance of their roles has grown tremendously as the threat
landscape has done the same. Also, as security has risen to a
board-level concern, CISOs are often asked to speak before the
executive team and board, underscoring the importance of the
discipline, while also raising the profile of the executive.

So why has this not been a greater pathway? First, as CIOs must focus
increasingly on innovation, which is about risk taking, CISOs manage
or mitigate risk. That is not to say that there is not profound
innovation that CISOs can undertake on behalf of their companies, but
this focus has been a limiting factor to these executives’ rise,
nevertheless. Additionally, security roles can be siloed relative to
other roles in information technology, and the lack of leadership
roles across IT can be viewed as another limiting factor.

On the positive side for CISOs, they are increasingly set up as peers
to CIOs in a number of companies with the growing importance of
security and the increased cases of breaches across a wide array of
companies.

One example of a CISO who have risen to the CIO role are Wafaa
Mamilli, who is the Executive Vice President and Chief Information and
Digital Officer of Zoetis Inc., the largest global animal health
company. Mamilli was the Global CISO for Eli Lilly for three years
through February 2016, when she was promoted to the role of Global
Chief Information Officer, Business Units at Eli Lilly.

Another example is Jason Ruger, who simultaneously has the title of
global CISO of Lenovo, while also serving as CIO of the company’s
Motorola business unit.

When asked about how she navigated the pathway from CISO to CIO,
Mamilli noted that focusing on enabling business strategy has been
key. “Throughout my career, I always made sure to position whatever
role I had in the context of the business strategy and outcomes we
aspire to achieve,” she said. “This led me to be a continuous student
of the business and the technology at the same time. Magical things
happen at the intersection of fields.”

She noted that her role as CISO was a “happy accident” of sorts,
though she is happy she had those responsibilities. “My company
entrusted me with the role with no experience at all in information
security, she said. “I know that this was because of my deep
understanding of the business and credibility in a variety of roles
around the globe and the Technology function.” She believes that the
role of CISO was the best learning opportunity for her, and both the
steep learning curve and the intensity of the experience prepared her
for the broader responsibilities she now has.

In Jason Ruger’s dual role, he must balance the CIO’s desire to
collect as much information from as many different sources as possible
to build insights with the CISO’s responsibility to separate those
different sources to not allow views across multiple data sources that
would result in lateral movement and increased risk. “The more data we
have or that our customers choose to share with us, if they opt in
from a privacy standpoint, the more of a liability it creates for the
company,” said Ruger. “From the CIO standpoint, the more data we have
that our customers share with us or the more data we collect from a
manufacturing line to know exactly what machines soldered the specific
part onto a device from a quality standpoint, the better decisions I
can help the company make as CIO.”

Mamilli believes that the CISO role requires putting the business
context at the center of the thinking process all the time. “Balancing
security with convenience while enabling the relevant innovation at
the right pace is critical to be an executive that gets to “yes”
rather than being a “no” all the time.” In her current role, she draws
upon the thought process that once dominated her responsibilities. “In
my current CIDO role, I have a deep appreciation of the technology
risks, the need for security by design as well as upskilling the teams
to really make security and risk management everyone’s job,” she
noted.

Ruger finds that holding this dual role helps him better understand
the need to find alignment on what parts of the business are most
important to protect from a cybersecurity standpoint and also what
parts of the business are most important to invest in. He also finds
that from a CISO perspective, having both roles helps him better
understand sometimes opposing direction from the CIO with regards to
which systems to prioritize from a cost perspective. “As a CIO, I
understand the pressure that CISOs put on CIOs. CIOs typically are
under a lot of cost pressure; we have a hybrid mix usually of on-prem
[compute] and cloud. Those systems are not always patched as
frequently as we would like. We cannot get the downtime, we do not
have the resources, etc. From a CISO standpoint, it helps me
understand from the CIO's perspective that we need to prioritize which
systems we need to patch. We need to prioritize what monitoring and
layers we put on so that we do not treat all data as the same.”

Mamilli, for one, believes that more people should have a stint at
CISO on their path to becoming CIO, as it is a critical skillset that
is not going to diminish anytime soon. “I strongly believe now that
security and risk management acumen are must have in any c-level
executive position leading technology and digital,” she said. “This
acumen can be acquired through rotational experiences. I would highly
recommend including a security role assignment in the career plan of
any aspiring to be CIO, CIDO.”