The intertwined CIO/CISO relationship and why it matters
Aug 16, 2021
Governance, risk, and compliance depend on synchronizing CIO and CISO objectives.
Progressive enterprises are migrating more and more of their workloads to cloud-based infrastructure. It seems straightforward: Remove legacy hardware and software, replace it with PaaS/IaaS/SaaS, and then enjoy the accompanying agility, reduced complexity, and lower costs.
But digital transformation isn't trivial, and the challenge isn't technology. It's the required collaboration between leaders and teams supporting the legacy infrastructure and workflows. Additionally, there are specific areas that CIO and CISO leaders must constantly keep in check:
- Governance: Ensuring that organizational activities, like managing IT operations, are aligned to support its business goals.
- Risk: Making sure that any risk (or opportunity) associated with organizational activities is identified and addressed in a way that supports the organization's business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization's overall enterprise risk management function.
- Compliance: Making sure that organizational activities meet the laws and regulations impacting IT systems. This means ensuring that IT systems and the data contained within are used and secured properly.
Migration to a cloud-based infrastructure requires teamwork across all IT disciplines and, in most instances, every business unit within an enterprise. Teams must work together to prioritize company objectives as they evolve.
In the second episode of The CIO Evolution podcast, I spoke with two expert technology leaders: former BMW CIO Klaus Straub and financial industry CISO John Meakin about governance, risk, and compliance in the context of zero trust, digitalization, and leadership. Our conversation covered the need for organizational transformation that includes both technology and culture and how CIO and CISO priorities need to be brought into alignment with business initiatives to achieve successful, secure digital transformation goals.
Below are some key highlights.
What is the value proposition of zero trust for CIOs and CISOs?
There is a lot of talk about zero trust and digital transformation—mainly as a way of securing cloud architectures. Moving to a zero-trust model should serve some purpose, though. One should be to remove cost and responsibility for in-house architecture.
This changes the nature of control, as John pointed out: “The traditional security model is ‘it's secure because I control it. It should stay secure forever.’ Of course, if you're going to embrace the internet and digitally offer services to people, you'll no longer be able to control all the technology.”
Traditional security models have been built on control by owning assets and restricting use. But to embrace the internet and digital technologies, CISOs must break from the owner model and establish trust at the point of use. Security mechanisms built for connection and transaction can leverage identity, not application, for near real-time verification. Confirming trust every time a connection occurs is a more secure, reliable, and empowering solution for the entire business.
What is the intersection point for a CIO and CISO in the business?
The relationship between the CIO and CISO has inherent tension: the CIO wants to create new business opportunities, but the CISO is concerned about security and risk. Zero trust can be the mediating intersection point for this traditionally contentious back and forth.
Klaus concurred: “The CIO needs assurance that they can grab the business opportunity while maintaining sufficient control to keep cybersecurity wolf from the door. The CIO and CSO have come together to give that confidence.”
This shift requires board-level buy-in to drive joint technology and security initiatives knowing that restricting access can enable business growth. Brands can also put verification to work for customers, instilling trust at the consumer level. Here, GRC and security intersect as CISOs discuss controlled digital transformation that accounts for data integrity and innovation. The board, in turn, must empower CISOs with oversight to drive efforts across architects, development, and cybersecurity for effective, efficient operations.
How do governance, compliance, and risk management fit into the CIO/CISO relationship?
Governance, compliance, and risk management often span the purview of both the CIO and the CISO. Zero trust can simplify the conversations that intersect with business priorities and security imperatives, as John explained: “If you like compliance with a big C, banking work is for you. I've seen compliance models, which have people who do, and then people will check, and then people will check the check is people check the checkers. You end up with a thousand people working in compliance. The zero trust model is the opportunity to do compliance in real-time.”
Klaus added: “You need trust to permeate your organization and your business relationships. You have to give trust to get trust. Security is the same, and just as important. You let one breach through, you are marked throughout your business ecosystem.”
Zero trust in this instance becomes a strategic imperative. IT no longer protects applications or hardware; it protects organizations, people, and data. Integrated devices through 5G and IOT require vast connection options that render firewalls useless. Least privileged access is now the bedrock of modern security, and zero trust makes this principle even more dynamic. Beyond user identity, trust can be established at different levels depending on user location and device, making security a function of both user and circumstance.
How does the concept of trust help the CIO/CISO drive innovation?
A zero trust architecture can create alignment between the CIO and CISO functions. With contention in job responsibilities removed, the development teams can move quickly without fear of crossing a specific IT team (applications, infrastructure, security, etc.)
Klaus: “The CISO is not just responsible for the strategic and governance oversight, but also software developers and architects. They need those controls to effectively innovate in today’s environment.”
As enterprises expand into cloud infrastructures and use deployments that support hybrid work environments and agile dev processes, it’s important to let the developers take advantage of the ways that the cloud can accelerate time-to-market. This is only possible if the CIO and CISO have alignment on goals, and support from the board.
Zero trust makes strange bedfellows into a power couple
Enterprises must adopt a consumption-in-the-cloud model of operations to become more agile, efficient, and productive. For cloud-enabled enterprises, the present and the future is a connectivity architecture based on the internet, perimeter-less cloud security, and critical business systems running outside of an enterprise boundary. Siloed IT teams dependent on siloed technology must learn to collaborate with other teams to achieve unified business goals. IT leaders accustomed to dealing with only the technology they understand and the vendors they like will have to adapt to a new way of running things.
Listen to the episode below:
What to read next