CIO & CISO: Managing Tensions and Working Together

In our third interview on Managing Tensions between CIO & CISO and Working together, JM Search Partner, Jamey Cummings had the opportunity to interview Scott Howitt, Chief Digital Officer at UKG, former SVP & CIO at McAfee Enterprise and SVP and CISO at MGM Resorts International.

In the past few years, many companies have gone through large-scale digital transformations and are now under more pressure than ever to not only move at a faster pace, but also with much more attention to the organization’s information, cyber, and technology security. The tension between the priorities of enabling business objectives through technology and maintaining a robust security posture is especially challenging in terms of CISOs reporting to CIOs.

JM Search and our global search partner, Amrop, collaborated on a series of interviews with CIOs and CISOs in the U.S. and Europe to gain their perspective on how to approach and manage these challenges. Continue reading to learn Scott Howitt’s outlook.

Q: There often appears to be tension between the priorities of enabling business objectives through technology and maintaining a robust security posture.  What have you found to be the specific areas where this tension most clearly manifests itself? And what from your perspective are the pros and cons of the CISO reporting to the CIO vs. working as peers? Some people have also included the CTO when talking about how these structures function. But you’ve been in both seats before – CIO and CISO, so your perspective will be very valuable.

A: If I look at how the world worked 5-10 years ago, the CIO was a well-established tech leader, and oftentimes the CISO would come in and be yet another person under the CIO’s purview. And if you have a CIO who understands and cares about security, that’s a fine relationship to have; because, of course, there are conflicting drivers for what the CISO does and what the CIO does, as there are conflicting drivers in every business. But often the CISO has to face a challenge where the CIO gets singularly focused on technology and focused on it for a while. The CISO in the meantime has to worry about everything, and that can cause internal friction because the CIO has a big deliverable, while the CISO has many more things to keep track of. So, at one point when I changed companies I said: I won’t work for a CIO. If I’m coming here, I’m going to be a peer, that way there’s no conflict. It worked for me, but it can create a different kind of conflict: the CIO and CISO can have even less understanding when it comes to the projects the other one is working on. One of the CIOs I was working with as CISO, which I thought worked really well, said: you can be a CISO, but at some point you’ll own capacity management, and network engineering, and database administration too, so you can really learn all of it. So, I think there’s value in getting the CIO to be the CISO at times and the CISO to be the CIO. I know that’s hard and you’re not always going to have leaders that are mature, but, I think, playing different C-suite roles certainly helps.

Q: What are the main things each of them needs to learn about the other’s job?

A: Typically, the CIO has a better relationship with the business, they understand the business drivers a little better. The CIO could sit down with the CISO and say: here’s all the controls you’re trying to put into place, but let’s prioritize against the business outcomes that we’re trying to achieve. And most of the times the CISO is a better technologist than the CIO because they have to understand every technology that’s in the place, and they typically also understand the interdependencies a little better, because they see those hand-offs: they need to understand generative AI better than anybody in the organization before things get too far in implementing it, they have to understand the Cloud better than anybody and so on, so the CISO is always in the cycle of having to keep up.

Q: And having to do that also gives them a certain advantage.

A: Yes, and you can see it in the differences between the CISO community and the CIO community. CISOs are encouraged to do knowledge-sharing among their peers, so I think you get better collaboration and more rapid innovation out of the CISOs. And the CIOs could really learn those things from them. When you put these two people together, it can be a really strong partnership, but in a lot of cases organizations set them up in a way that it’s almost like they purposefully want them to be in conflict. But oversight doesn’t mean conflict. Sometimes the Chief Revenue Officer and the Chief Financial Officer don’t agree about how the sales motion and revenue recognition should work, and they have to battle it out and come together and decide what’s right. But you shouldn’t set them up to be in conflict all the time, the same is true for CIO and CISO – they should complement each other. Occasionally they should debate and come up with a better way of doing things. But now it’s very much also about the complexity of technology – it’s so complex that it’s very rare to find somebody who is conversant in all spaces.

Q: Yes, it’s overwhelming and moving very fast right now.

A: Yes, because for the CIO, most of what he deals with is fairly well established. So you find the CIO concentrating more on the business, and the CISO more on the technology, because they have to try and figure it all out on their own and pull it all together. But, like I said, you can’t have one without the other. If you have a well-seasoned CISO, then the CIO can talk about the business outcomes and the CISO can talk about the risks to the outcomes, and better decisions can be made. So, it’s about who are the players that you have – knowing that you organize your business around that. And then I would encourage cross-pollination – the CISO could run security and one middleware for the organization. That would make them a little more cross-functional, and same goes for the CIO – they could run certain aspects of security, especially in the three lines of defense mode. The CIO could run operational security, while the CISO runs governance, security and oversight.

Q: Do you have any final remarks with regards to what we’ve discussed?

A: At the end of the day, all businesses work the same way – you maximize EBITDA, and you grow revenue. That’s just the basic premise of how you run a business, and then you figure out what the key levers are to make that happen. So, technology evolves, and just like during the COVID-19 pandemic, the resilient businesses survive and the fragile ones do not. And if you have the ability to be resilient in your role, you will be a fine technologist. At the rate things are changing, your job might be going away soon, but good technologists are resilient.

A very special thank you to Scott Howitt for his insights and thoughts!

For more perspectives from former CISO’s and CIO’s, read the full study on CIO & CISO: Managing Tensions and Working Together.