CIO & CISO: Managing Tensions and Working Together

As we touched on in our first interview series on Managing Tensions between CIO & CISO and Working together, in the past few years, many companies have gone through large-scale digital transformations and are now under more pressure than ever to not only move at a faster pace, but also with much more attention to the organization’s information, cyber, and technology security. The tension between the priorities of enabling business objectives through technology and maintaining a robust security posture is especially challenging in terms of CISOs reporting to CIOs.

JM Search and our global search partner, Amrop, collaborated on a series of interviews with CIOs and CISOs in the U.S. and Europe to gain their perspective on how to approach and manage these challenges.

In the series of interviews, JM Search Partner, Jamey Cummings had the opportunity to interview Emily Heath, Former CISO at DocuSign and United Airlines and General Partner at Cyberstarts. Heath’s perspective is that reporting structure shouldn’t matter “because as a CISO your job is to be a business leader first and a security leader second.” Continue reading the interview below to learn more around her perspective.

Q: There often appears to be tension between the priorities of enabling business objectives through technology and maintaining a robust security posture. What from your perspective are the pros and cons of the CISO reporting to the CIO vs. working as peers?

A: My general philosophy about reporting structures is that for 90% of my career it never really mattered to me so much about who I reported to because as a CISO your job is to be a business leader first and a security leader second. If you’re truly a business leader, you spend time with your business partners and the reporting structure becomes just a formality. The important thing is that you have the space, the freedom to do your job and complete access to everybody you need access to. Somebody with a strong political capital can navigate any organization and being given the freedom to go and do that, to do your job, is more important than any reporting structure.

Q: You said that was 90%. What’s the other 10% about?

A: That’s the part where the reporting structure starts to matter to further your career. For CISOs to think about career advancement they need to report to the CEO  – not because of hierarchical influence or anything that made any difference to how they do their job, but because they need to be part of the C-suite if they want the opportunity to be on boards later. The reporting structure can matter a lot when you’re at the end of your career and you’re looking to be on public boards, because you will get paper-sifted if you’ve not been either part of the C-suite or at least an SVP. Being on the C-Suite opens different doors for you because having a seat at the table allows you to see how the whole company operates, and in order to be a well-rounded board member you can’t be a one-trick pony that only knows security; you need to understand the commercial side of the business.

Q: What reporting models do you see more often these days?

A: The world of the CIO has changed a lot over the years. I think now we only really see the traditional CIO role in very large organizations. I have seen CIOs become Chief Digital Officers by taking on some of the digital initiatives and some take on larger COO roles and have both the CISO and the CIO report to them. That goes to show that even larger companies are now sometimes pulling the CISO out of the CIO organization, but you need to look at the profile of the company. If it is a very large enterprise company that has a more traditional structure, it’s highly likely that the CISO will still report to the CIO still. There are now also a lot more CISOs reporting to the legal, which has pros and cons too.

Q: What are these pros and cons, in your opinion?

A: I would say the pro is that when legal tells you to do something you generally do it: you leverage that relationship very carefully and pull those cards out when you need them – and you get things done faster. The con is that the lawyers are not operators, they’re not technologists – so they really have very little understanding of what you actually do every day. They’re brilliant at what they do, and we need them to be our partners – we need them in the trenches with us, but reporting to them, in my opinion, is inhibiting. Of course, it depends on the company – if the company has been massively breached, often the CISO will report to legal, because legal wants to have a firm eye on everything that’s been said and done, but, for the most part, they’re just not operators, and they also don’t have large budgets, so the security budget for them can often appear excessive.

Q: Indeed. But let’s go back to where you said that the role of CIO has changed a lot.

A: The cloud has changed absolutely everything, and business units are a lot more self-sufficient than they’ve ever been before – they’re spinning up their own technology. And when you think about the CIO’s role, they’re not creating networks anymore like they used to, so the weight of the CIO’s role has gone heavily into enterprise applications and PC desktop support – unless you have a large, traditional organization which does a lot of in-house development. But most organizations run on SaaS, so it’s more about managing the SaaS relationships. The CIO traditionally used to have a CISO, a head of infrastructure, who also did desktop support, then a leader for enterprise apps, and they probably had a PMO that reported to them. Now it’s becoming more prevalent that there’s a CISO, CTO and a CIO who are all peers. In very large organizations, the CTO used to report to CIO, but that practically doesn’t happen anymore. For the most part it’s split out, and the CISO has more relationships to juggle across the business. What they juggle with the CIO is normally corporate IT stuff – anything to do with the PCs or the corporate cloud or the data that’s stored in the SaaS applications, the finance systems, the legal systems, the HR systems, etc. In companies that have CTOs and engineering shops that’s a very different relationship for the CISO to manage. And I’d say there’s exponentially more headaches between a CISO and a CTO these days than between a CISO and a CIO. And there are a lot of companies which operate like tech companies, because they have their own engineering shops with a separate organization.

Q: So, you could say that CISO’s role has become more challenging too.

A: The dials have shifted a lot. CISOs are wearing many hats. The CISO has a very unique vantage point across a company – they’re responsible for understanding each business unit, the critical operational processes and the risk it entails. They don’t get to just sit in a digital world, or in an IT world anymore, they need to understand how business operates. Even in the technical realms, the landscape has changed a lot. Most CISOs and their teams spend a lot of time on vulnerabilities, and the definition of that word has changed over recent years. People used to think that a vulnerability was just a missing patch – you just had to go and patch it, and that was it. But now, because you’ve got this completely automated CICD pipeline that’s pushing code out all day every day, a vulnerability can be a misconfiguration, a password or a secret that’s not rotated, it could be a container that hasn’t been set up properly, or something more traditional like a patch. And it is the CISO’s job to look across all of them, add business context to them, and to understand what needs to be fixed first. It is not uncommon for companies to have tens of thousands or hundreds of thousands of vulnerabilities in their environments, so how do you organize that in a way where you inspire somebody else to go and do something you need them to do to reduce the risk? As a CISO you are 100% reliant on somebody else doing something for you to be successful in your organization.

Q: And how does one make it work?

A: The CTO organization and the CIO organization, they’ve got their jobs, they’ve got code to ship, product to ship, back office and revenue generating initiatives to attend to, and you have to work with them in order to have them drop what they’re doing and go fix something. Therefore, the political capital of CISO in the relationship with CIO and the CTO is highly important. Those relationships can make or break your security program. If you’ve got friction there and the CTO says, yes, I see all of those issues, but we’re busy right now, there’s no way you are going to get things fixed. Security teams don’t fix stuff, they’re the governance. Historically they used to go to the person running the infrastructure and say: hey, you’ve got 10,000 vulnerabilities, here’s your report, you need to fix them. But that doesn’t do anything, this person is not going to get off their seat. So now we’re evolved more, and we say: hey, you’ve got 10,000 vulnerabilities, these 5,000 are critical or high, but only 20 of them are unique vulnerabilities, and only 10 of them are actively being exploited right now. So, of all these 10,000 you really need to fix only these 10 things for us. Then that’s a very different type of conversation. So, there’s massive friction with engineering teams that often sit under the CTO, because the first thing engineers do is try and discredit any data security teams give them. We end up spending too much time talking about the source of data, instead of talking about what needs to be fixed.

Q: How do you counter that?

A: You have to take time with these relationships and bring people in when you’re buying technology. Let’s say we’re bringing in a vulnerability scanner. If you don’t bring the engineering team along for that ride, the first thing they’ll do once you’ve purchased it and given them the first report, is they’ll say: well, why did you buy this one? It doesn’t do this and that! They’ll discredit everything. So, to avoid that, you have to make them part of the process from the very beginning. And then the security teams work through the output, and it’s up to them to curate the data, and tell the story – and you need to make sure you tell the right story. You have to walk the engineering teams through it – and it’s a very delicate dance. In the first few months where you’re bringing data together, you have to go through and demonstrate to them where your data comes from, why you’ve made a decision that this or that vulnerability is important. The trust that you build is everything – because the minute they trust you, you’re saving a massive amount of time. What happens then is you slowly start to get out of the way. The best implementations are where I implement, I do the dance, I build the trust and then I get my team out of the way, and say – you know what, let me give you access to this. You don’t need to wait for me to tell you that something’s wrong. You know the methodology – why don’t you operate it yourselves? And should you need us, we’re absolutely here to help you. Now they’re the captain of their own ship! It takes time to build this kind of partnership. You have to meet people where they are and bring them along with you. 90% of what security teams do is all about people – we’re all in the people business. But it takes a certain kind of influencer to make that happen.

Q: At the end of the day a CISO is really influencing and selling ideas and concepts to other stakeholders.

A: The thing for the CISOs to remember is that they should anchor their decision-making and what truly matters to the business. Like I said at the very beginning – the CISO needs to be a business leader first and a security leader second. They need to have a very strong understanding of what matters most to their business, what makes their business operate, how they drive revenue, and parts of technology which are crucial for the business. First three or four months at a company I’m spending large amounts of time with business leaders talking to them about how their business actually works – I need to know the nuts and bolts of what drives us, what drives revenue; if things went down what the impact would be. It’s very much about understanding the inner workings of any organization and CISOs often don’t take enough time to do that – they jump right at the technology. My five questions are: What matters most? Where is it? How are we protecting it? Where are we most vulnerable? How prepared are we for when something goes wrong? That’s how I run a security program. But it all comes back to that very first question. And I think it’s part of the storytelling with the CIOs and the CTOs because if you take the time to do that work, they know that you understand them. But a lot of CISOs don’t get off on the right foot – they’re already discredited because they don’t take time to understand the business, and ask questions, and listen. Just go to the CTO and say: Hey, if you were me, what would you be worried about the most? What parts of your infrastructure would you need us to help you protect more than others? But a lot of times it’s the wrong way round – there’s a bit too much of dictatorship: here’s what we need you to do, go do it, we’ll check if you’ve done it, and we’ll tell you if you’ve not. But that’s just not the way to do it. I think it all starts with truly trying to understand your business partners, including the CIO, and the tough job they have keeping their business happy and operating – as a CISO you need to understand them and meet them where they are. All in all, I think it’s getting better and there are a lot more business minded CISOs out there than there ever used to be. Besides, those are the people who will be in high demand for Boards. Public companies are not going to give them a precious Board seat, unless they really have this mindset.

Q: With the increasing regulatory scrutiny in Europe and increasingly across the US, what impact have you seen on the scope of CISO’s responsibilities and necessary interactions with other stakeholders to strike an effective balance between security and privacy?

A: Most of the businesses, including their CTOs and CIOs really lean heavily on CISOs and their legal partners to help them navigate the regulatory issues. I think that CISOs are becoming subject matter experts in the regulatory landscape because it’s so embedded in their day-to-day job – the other technology teams are coming to them a lot more, which is a really positive thing. At the same time, I’ve bumped my head with lawyers quite a lot around the operational side of privacy. We do need lawyers to help us interpret the law and understand the guardrails, so I can go build programs around them and make sure that everybody’s doing what needs to be done. But the friction for me comes when lawyers want to take on privacy operations – own the operational side of privacy, because they tend to want it, but they’re not operators and often dont do well with those roles. We need our legal expertise to guide us and to be impartial and counsel us, but they shouldn’t be running privacy incidents in my opinion. Privacy is a gray area which sits between security and legal – sometimes the CISO owns it, something legal owns it, sometimes both do, but it’s often a hard one to navigate.

Q: What are your views on a Privacy Officer, is that going to be a more prevalent role? And where do you see it sitting ideally?

A: Privacy is not going away, if anything, it’s on the rise. I’ve seen CISOs as Privacy Officers and I’ve also seen somebody from the legal team be the Privacy Officer. I’m in favor of it being from the legal team – they can help govern that as well, but not take on the operational side, as I’ve said before. Just because you’re a Security Officer or Privacy Officer doesn’t mean you have to own everything. As a CISO we don’t own everything, We don’t want to own everything! We actually want to own less, because the less we own, the more it’s embedded in the business. It’s a question of accountability versus ownership. You get friction when those parameters are not well-defined.

Q: Yes, on the one hand you don’t want to be too rigid about who owns what but also the legal team can help you set barriers – you need to stay within this guardrail to keep the company safe, so they really act almost like a Risk Officer at the end of the day.

A: True, and it’s helped me countless times especially where there’s new laws and regulations – I need the legal team to help me dissect what that means for us. And once they’ve done it, it helps also when I need to go talk to the CIO or the CTO and say: these are the new guardrails. They might not agree with that, and I don’t necessarily agree with that either, but the legal team has determined this in conjunction with outside counsel, and that’s how we must operate, the conversation stops there. So, it’s helpful to have them be the overarching guidance and counsel – that actually helps people get the job done. And, to avoid any potential friction, you need to know who owns what – it just takes a bit of time upfront to make sure everybody knows who does what and then you stick to it.

A very special thank you to Emily Heath for her insights and thoughts!

For more perspectives from former CISO’s and CIO’s, read the full study on CIO & CISO: Managing Tensions and Working Together.