CIOs are developing new skills to accommodate the disrupted nature of the modern enterprise. In a hyperconnected, always-on world, where the customer is king, CIOs have left pure technology skills behind and are now stretching themselves to become creative evangelists and strategic thinkers — people who can devise and deliver innovative new solutions that build business revenues rather than just support existing processes. [See also: Chief Information Security Officer salary, job description and reporting line]
These business demands are pulling CIOs in several different directions. For example, as a result of the rapidly changing business landscape, CIOs are faced with business leaders that are increasingly keen to be involved with technology. Moreover, end users and customers today are technically competent individuals who are comfortable with their own technology and expect business computing to mirror their personal experiences.
As a result, the CIO is no longer simply a technology leadership role; instead, it's beset with demands for digital services that revolutionise the corporate model. CIOs need to drive revenue, customer engagement, and innovation while working within strict cash limitations — a complex balancing act. As a principal member of the technology leadership team and an incipient trusted advisor to the CIO, the Chief Information Security Officer (CISO) needs to understand their CIO's challenges to ensure that they're a net benefit rather than a resource drain or distraction.
The relationship between the CIO and the CISO is usually strongly interdependent — and this goes beyond a direct reporting line which is still the most common. The CIO relies upon the CISO for advice and guidance, while the CISO depends upon the CIO for support, resources, and priorities. This is a key connection that's vital to the success of the firm and the technology management department and it is essential that this become a solid partnership — yet feedback from CIOs indicates that CISOs are falling short. CISOs need to make efforts to build bridges and delight their CIOs.
The CISO role is in the midst of a transformation from that of technical maestro to business leader, and there's a danger that this will lead CISOs further away from managing technology and keep them from forging a close partnership with their CIOs. But that doesn't have to be the case; CISOs can build that solid bond and really help CIOs out by closely focusing on four key aspects:
1. Escalating risks and issues selectively.
It seems that the days of the "sky is falling" CISO are not quite over. But CISOs must stop dragging their CIOs and business leaders into the weeds for every risk. Instead, they need to build a simple risk appetite model that triggers defined actions at different risk levels and only involves others as needed; take responsibility for managing day-to-day risks without causing alarm or interruption; identify and avoid hypes and fads; and relate all advice back to the business goals.
2. Using business skills to craft and socialise solutions.
CIOs are frustrated that security and risk (S&R) leaders too frequently bring them problems, not solutions. CISOs must rectify that by leveraging increased business awareness and connections and reinventing themselves as solution architects. They must understand the problem and its business implications from wider and more frequent business-level communications and then propose a solution to peers in both tech management and business.
3. Reacting quickly to bad news.
While socialised solutions are important, CIOs said that they also needed to see the rapid deployment of triage and emergency response processes when required. In the current threat landscape, every organisation should "plan to fail"; having a robust, tested plan preapproved by all of the main players means that everyone knows what to do at times of crisis. CISOs need to have that plan ready to fly at a moment's notice.
4. Being proactive when it comes to innovation.
Many CIOs described a S&R practice that constantly puts roadblocks in front of other people's ideas. A greater degree of upfront collaboration and innovative thinking could transform these hurdles into refinements, proposals, and course corrections, thus avoiding a frustrating and costly stop-and-go project life cycle. CIOs need CISOs to keep up to date with the rapid rate of technology change; force themselves on to innovation councils and into every project; and work hard to add pragmatic value.
Only the adaptive survive
In order to meet today's market demands, the CIO needs a supporting team that's sympathetic to business challenges. This team should be able to drive technology forward and accommodate — or even create — digital disruption as necessary, and the CISO must be a fundamental component of that. CISOs who aspire to a successful career need to support their technology management leadership by developing tool sets and skills over and above the purely technical. They need to reconsider their attitude toward risk and prioritise strategic thinking, creative solutions, and collaborative engagement to thrive rather than simply survive.
Andrew Rose is principal analyst at Forrester Research where he serves the information needs of Chief Security Officers.