CIO & CISO: Managing Tensions and Working Together

‘’You have to be comfortable with being uncomfortable – and having healthy conflict!” Harvey Ewing | CISO turned CIO

In the past few years, many companies have gone through large-scale digital transformations and are now under more pressure than ever to not only move at a faster pace, but also with much more attention to the organization’s information, cyber, and technology security. The tension between the priorities of enabling business objectives through technology and maintaining a robust security posture is especially challenging in terms of CISOs reporting to CIOs.

JM Search and our global search partner, Amrop, collaborated on a series of interviews with CIOs and CISOs in the U.S. and Europe to gain their perspective on how to approach and manage these challenges.

In the first of the series of interviews, JM Search Partner, Jamey Cummings had the opportunity to interview Harvey Ewing, a CISO turned CIO and former Chief Operation Officer at Specialized Security Services, Inc and Mercy Technology Security Board Member. Harvey Ewing brings a unique perspective having been both a CIO and CISO in his career. In the interview, they discuss the tension between the priorities of enabling business objectives through technology and maintaining a robust security posture and how these priorities can be especially challenging in terms of CISOs reporting into CIOs.

Q: Harvey, you’ve been a CISO and are now a CIO, so you’re in a position to offer a very interesting perspective on the subject. There often appears to be tension between CISOs and CIOs – the priorities of enabling business objectives through technology and maintaining a robust security posture.  What have you found to be the specific areas where this tension most clearly manifests itself? Is it mainly about technology, ownership and accountability of technology and delivery, or budget priorities and constraints, perhaps others?

A: First, I’d like to expand this to include the CTO – at least in my experience I’m seeing companies move towards more of a CTO, CIO, and CISO type of configuration.The CIO and CTO roles are typically predicated on delivery – delivering infrastructure, services, application feature functionalities, and so on, in a timely manner which, I believe, can create a direct tension between the roles. This tension is typically due to the CISO being seen as an inhibitor instead of an enabler. In my opinion, an antagonistic relationship between these three roles can be very problematic to the business, so culture and reporting relationships become incredibly important. The tenor of the relationship can be positively influenced by the CISO through direct communication. The CISO must overcome the traditional stigma associated with role and must position themselves as strategically aligned to meeting the business’s needs.  That doesn’t mean reducing security, but it does mean approaching best practices and all that goes into an effective cybersecurity program through collaboration and communication. If the CISO becomes a business partner instead of a competitor, the tension is significantly reduced and all, especially the business, benefit.

Q: It seems that this way there’s also not enough discussion around security happening.

A: Yes, I believe that cybersecurity should be discussed at the senior executive and the board level. When risk acceptance is shifted to the senior executive team (away from the CISO), the decision as to how much risk will be accepted, how much risk must be mitigated and at what cost, it will assist in aligning the CIO, CTO, and CISO. I’ve seen too many companies that allow risk decisions to be made at various levels of the organization which creates risk for executive leaders and the board. It also creates friction between teams, especially cybersecurity and delivery, because decisions are begin made in silos. Every business takes risks, but, as long as the risk is defined, quantified and communicated, delivery and cybersecurity can drive towards one goal and know how far they need to go.  This aligned posture will reduce tension and increase delivery—in the right way. One other very important aspect of this discussion is culture. Leaders need to be business-focused, business-first, including the CISO. That can be rare, but they need to be able to speak the language of business, and they also need to lead without ego. If the CIO, CTO and CISO are all pragmatic, the tension is reduced, because now they’re focusing on where the business is driving them, and the decisions are made without emotion.

Q: But, as you said, the tone needs to be set from the top.

A: Yes, and the risk needs to be accepted at the right level of the organization. The CIO, the CTO and the CISO are typically not empowered to accept or reject risk on behalf of the CEO, the COO, the CFO, or the committee at the Board level that’s actually responsible for managing that risk and providing guidance.

Q: Is there anything else that, in your opinion, can affect the relationship between that triumvirate?

A: Large companies typically have in-house teams that are tasked with delivering the strategy for business from a technology perspective. One additional way to reduce stress is, instead of focusing on DevOps is to focus on DevSecOps, but in a very specific way.  The cybersecurity team should have application security developers that are embedded in the software development teams.  And when I say embedded, it is not for delivering vulnerability information, but to actually assist in remediation.  The application security engineers should evaluate code and then assist in resolving issues.  When that type of partnership exists, the security function is now seen as an enabler. You truly “shift left” as the team will iterate, potentially, a little more during development, but will accelerate as code is inspected and moves through the combined process. This type of process will, in my experience, reduce development and delivery cycles and truly position the cybersecurity team as a partner. It’s a very powerful catalyst to creating aligned teams.

Q: It’s one thing to have as copacetic a relationship as possible between the CIO and the CISO, but how about when it comes to communicating risks to the board? You’ve briefed the Board as both the CISO and the CIO. How can you best ensure that boards and ELTs are informed on enterprise cybersecurity programs and risks?

A: I’ve had a lot of trial and error with this, but what’s really worked for me is translating technology into business language. The Board will want to see and understand exactly what the level of risk is, but they want to see it with regard to its impact on strategic initiatives, top line revenue, EBITDA – they want to understand the business logic and math behind what the CISO is really trying to convey. Early in my career I made the mistake of being too technical to the point where the Board said: look, we love it, you’re a technical guy, that’s great. But what does it really mean for me? If I’m a board member providing guidance to the company what I want to understand is: are we driving to the level of risk where I’m comfortable? Have we enumerated those risks? Have you communicated those risks in a business format? Is it going to impact top-line revenue? Is it a third-party aspect that could have negative impact on the company? Are we covering the bases for my responsibility as a board member to this company, and are we protecting our shareholders? That’s the equation that we have to come up with, and again, the risk has to be accepted at the right level of the organization, that risk mechanism needs to be in place. And then there has to be a business justification and quantification on how those risks are mitigated. So, there’s no sensationalism. There’s no: hey, I’m going to go in and show all my technical value to the company. Instead, I’m going to translate all of these challenges into business language and let the Board say: I’m not willing to accept that particular risk for whatever reason. And here’s how much you’ve presented that it’s going to cost me to mitigate that risk. Is that acceptable to the business from a financial standpoint? If not, let’s go back and forth to where we drive to an acceptable level or risk, and an acceptable level of spending to mitigate that risk to our understanding and our liking.

Q: One of the consistent themes for you seems to be that, regardless of the reporting structure, relationships matter. But how do you work through tensions if the relationship is not so great? Do you have any tips for your fellow CISOs and CIOs on how to navigate that – from personal experience or that of others?

A: That’s a difficult situation to be in, and the CIO is likely put in that position by the pressure to deliver. Again, the question I would ask is: is the CIO being expected to accept or reject the risk on behalf of the entire executive team, is that CIO being put under significant pressure to meet business goals? As a CISO I would go to that CIO and say: look, I’ve got a job to do, as do you. How can I help support you and get the required delivery done? I understand you’re under pressure, and here’s what I want you to be careful of. Here are the things that we should work on together and which you need to be aware of, and if we need to elevate those risks higher in the organization so that it removes some of the pressure from you, let’s do that together. If I report to you, if you’re my colleague, then these are the items that we need to counsel the other executives on to see if they agree with where we’re at on how much risk we want to or don’t want to accept. It may be seen as roadblock, but you have to communicate to the CIO that you are business-aligned, and you want to help deliver all of the projects they’re being tasked with, so it’s really all about collaboration.

Q: And taking out the emotion…

A: Exactly. Because you’re going to get pushback, because people are going to say: look, I’m under pressure, I have to deliver, I know you want to do your job, but I see you as a roadblock. When you hear that you really need to take the emotion out and ask: why do you see me as a roadblock? What’s happened in the past – if they’re new to the role, how can we work together on this? Let me prove you that I’m a business-enabler, that it’s not security for security’s sake, but security for business’s sake! When you remove the emotion, you approach cybersecurity and delivery pragmatically, and you shift the risk-acceptance or rejection to the appropriate place in the organization, it really helps repair the relationship, and then creates a true partnership.

Q: These are such universal themes, but it feels like they still have to be constantly reminded of…

A: Everyone tends to envelop themselves in a silo when there’s contention, but I like to talk about healthy conflict. That’s removing emotion and you need to be able to push each other appropriately saying: hey, I’m going to challenge you and here’s why. I’m not just going to sit back and say: I’m going to make your life harder. We know that we have a common goal and that’s to support the business, so, if we’re both going to succeed, we need to develop that relationship, because a divided house is always going to fall. So, if the CISO and the CIO can’t develop that relationship, the ELT will have to say at some point: hey, you two are going to have to figure this out, because you’re negatively impacting the business. And you have to be comfortable with being uncomfortable, with having that heathy conflict and challenging that relationship positively.

Q: Thanks a lot for that. Is there anything you’d like to add, any final tips to any of those involved in this equation?

A: One thing I find really important is the cultural fit. People who are ego-free leaders and are there to support the business: if you can develop that high-functioning team, that’s the “secret sauce”. There are tons of people with good technical expertise – that’s why they’re in that particular position at that stage of their career, but they must be willing to partner and to be challenged by the team. I also think that it’s good to have that direct relationship with the Board, especially for the CISOs. The Board member can say: here’s what’s truly important to me. Here’s how you can deliver that data. Don’t make the CISO try to feel their way around to getting the Board and the other peers and senior executive leaders the data they need – give them that information upfront!

A very special thank you to Harvey Ewing for his insights and thoughts!

For more perspectives from former CISO’s and CIO’s, read the full study on CIO & CISO: Managing Tensions and Working Together.