Workplaces are communities built around relationships with peers. When such relationships are strong, they become sources of energy, learning and support. When fractured, they fester frustration and distrust harming both people and organisations.
The CIO-CISO relationship
One such relationship is that of the chief information officer (CIO) and the chief information security officer (CISO). When viewed as individual roles, each role can be described as in a constant state of stress. In matters of security, the two roles share common responsibilities and expectations placed by stakeholders in the organisation whether they are employees, business partners, shareholders, or customers.
"The CIO is enabling the workforce to accomplish their duties through process and technology, while the CISO is ensuring that the use of technology is being done in a secure manner and the processes do not pose an unacceptable level of risk."Brian Jack
KnowBe4 CIO, Colin Murphy confessed that could not imagine being a leader in an organisation that did not have a CISO. “I believe that in today's day and age, the CISO is a valuable counterpart to the CIO. We have different responsibilities and must look at the organisation's problems through a different lens, but in the end, the CIO-CISO should be co-parenting modern solutions,” he elaborated.
“The CIO and CISO relationship at KnowBe4 is very strong,” added Brian Jack, CISO at KnowBe4. “We both understand what the other person is trying to accomplish. It helps to have a very security-minded CIO and a very business-minded CISO who can communicate and respect each other. The combination must be able to work together to mutually accomplish goals,” he added.
Anton Reynaldo Bonifacio, CISO, Globe Group, says the structure at the largest mobile network operator in the Philippines is different compared to other companies. “We're both a telco and a conglomerate at the same time.”
Globe has a CIO, who looks after IT/Information Systems, while the CTO is responsible for the telecommunications network. “As CISO, I oversee ensuring both infrastructures are secure, through various governance and compliance functions, as well as the Security Operations Centre, which we run,” he explained.
Additionally, Globe’s CISO is a group-level role that is also in charge of securing not just the telco, but the other portfolio companies as well, which individually have their own CIOs.
Resolving conflicts that arise
Conflicts are an inevitable part of day-to-day life. Resolving these quickly releases tensions and fosters mutual respect and admiration.
“For my organisation, this is achieved by a strongly defined security culture. When conflicts arise, we are mediated by the culture of the organisation. An example of this is knowing that the CEO/CFO and the board would be supportive of solutions that do not violate those core values. Because of this, the CIO and CISO have a clear direction of where we will ultimately go with a solution."Colin Murphy
Jack believed that the two roles work together, treating each other as advisors in accomplishing the common goal of a secure and successful business operation. “If the CIO takes on a project and does not consult the CISO until the end, the project is likely to stall or fail, while the CISO should work with the CIO to understand all of the needs of the business and not just security projects,” he went on.
Tradition has it that the CIO carried the responsibility of information security. The CISO role is said to have been created in the 1990s with the appointment of Steve Katz to the position at Citicorp in the US following a serious hack.
Decades later the CISO role continues to evolve to meet changes in business, regulation, and technology.
Bonifacio noted at Globe, the CISO is treated at the same horizontal level as the CIO, CTO, and other technology or risk heads, or in this case, now group-level.
“This has allowed us to both run our programs ourselves while giving us equal weight when it comes to enforcing policies. Most importantly though is the culture that runs through our security organization. Instead of us being "enforcers" or "auditors", we function quite similarly to the CIO and CTO in the sense that we focus on "solutioning" and "enabling",” he added.
“That said when things are built, IT, Network, and Security all form part of the "manufacturing" process. We ensure that we are as operational as the rest, in that sense. We don't carry clipboards to call things out, we have our ‘wrenches’, and our hands are as dirty as everybody else. We are embedded into every technology process from start to finish,” he continued.
Murphy believes that there is value to having the CISO report directly to the CEO or COO. The landscape is changing for all organisations, and it will only become more critical than the technology solutions and risks are viewed with equal importance.
Jack sees the two roles learning from each other. “It could be very helpful to treat the CIO as a stakeholder in security projects and the CISO as a stakeholder on business projects,” he added.
Fostering a good relationship
Asked about the secrets to building a good CIO-CISO relationship, Bonifacio says it is all about story and narrative. “We ensure that our updates or asks all centre around a narrative the Board can understand. How? By sticking to our culture. Globe is a very customer-centric organization. Everything that we do is centred around the customer and our security programs are closely tied to the customer journey or narrative to ensure their experience makes "sense".”
He credits the CIO-CTO-CISO relationship around the Globe Culture. He points to one of the CEO’s favourite descriptors of this culture – friends on a mission.
“The (Globe) culture (is one) of collaboration and openness, with massively laser-focused customer-centricity, makes it so that "conflicts" are easy to resolve. All three leaders are a part of the same cadences, councils, and executive meetings."Anton Reynaldo Bonifacio
“So, we're rarely blindsided by key issues individually, and always aligned. It's a very social culture so we spend a lot of time together in and out of meetings. The respect for one another, knowing that we're all working towards the same goal allows for us to work on challenges faster,” he continued.
Jack attributes a successful relationship to good communication and mutual respect. “You also have to be able to understand what the other person's challenges and goals are so that you can work together and not against each other,” he elaborated.
Murphy hinted that a good relationship may be predicated on good security culture. “When the entire organisation increases its knowledge of threats and best practices, it becomes easier to get buy-in from most business units. It can reduce the pressure when users push back on new security policies or technical controls. It is a driving force to shift the relationship to one that is collaborative and innovative,” he concluded.