CISO Conversations: Code42, BreachQuest Leaders Discuss Combining CISO and CIO
The CISO reporting to the CIO remains the most common organizational hierarchy and is a continuing topic of concern. Many CISOs believe there is an unavoidable conflict of interest between smooth running IT and secure IT – but there is a slowly emerging trend that can solve this. Combine both roles under one person.
This is not the same as the earliest attempts at introducing cybersecurity into a business, where the existing head of IT was told to also look after security. This is the fully emergent head of cybersecurity turning round and being told to also look after IT.
In this issue of CISO Conversations we talk to two CISOs who have accepted this dual CISO/CIO role: Jadee Hanson at Code42 and Sandy Dunn at BreachQuest (now CISO at Shadowscape).
Getting the combined role
There is no current job role defined as CIO/CISO. Dunn believes it is the way of the future, but that it will take another 20 years before it becomes the norm. Her belief is born from a simple conviction: both roles serve the same purpose, which is to help or ensure business profitability. But neither function generates revenue for the business. They are both necessary cost centers, and it makes sense for them to work together as effectively as possible to maximize business efficiency. Combining the roles immediately eliminates any negative effects from a conflict of interest between IT and cybersecurity.
The biggest drawback to this evolution is that it is only suitable for SMEs – a single person would not be able to handle the complex requirements of both roles in large enterprises.
Since there is no accepted CISO/CIO role, there is no formal career path that can be followed to achieve it. It is largely a case of being prepared for it and taking the opportunity if and when it arises. Being in the right place at the right time with the right attitude is key.
For Hanson, who was already CISO, the potential was seen by the CEO because of her approach to cybersecurity. “Sometimes in the CISO role you get very narrowly focused on only protecting the organization,” she explains. “You forget that protecting the organization means taking on enough risk to enable the organization to meet business objectives. Within my security role, one of the things we often talk about and drive within the security program, is how to truly enable the organization to do what it needs to do. Security also means taking on the right risks in the right places.” As a result, she added, the CEO saw her as someone who could seamlessly take on the additional CIO role.
Dunn has a similar view of the combined value of CISO and CIO, but personally comes from a more tech background. She was doing competitive analysis on MFPs for HP when she caught the security ‘bug’ and began her journey towards becoming a CISO.
She likens the combination of IT and security to a car, where the driver is the business that needs to reach the finish line as quickly and safely as possible. IT provides the engine, but security – whose function is to ensure the vehicle and its driver reach the finish line safely – specifies the air bags, the type of brakes and the standard of tires. These can all affect the performance of the car – and it is this conflict between performance and safety that can lead to disagreements between IT and security.
The driver, which is the business, doesn’t really care and may not understand the nuances of the different options. The driver’s concern is to get his vehicle to the finish line. Dunn’s view is that this is best achieved when there is harmony between the engine and the brakes and tires, and this is best achieved when they are overseen by one person – a combined CISO/CIO.
Handling the pressure to improve IT efficiency over IT security
Sometimes, combining the functions merely displaces the underlying problem of conflicting priorities. The pressure for performance ultimately comes from other business leaders, and the CIO is merely responding to his or her perception of the business requirements. That pressure will still be applied, even if it is now at a combined CISO/CIO rather than the CIO alone.
There will still be occasions where the CISO has an absolute conviction than an IT solution presents greater security risk than the business allows. This can lead to a new impasse, but now between the CISO/CIO and other business leaders. Both Hanson and Dunn have similar solutions – the business leader or department that wants to accept a risk against the advice of the CISO must sign off on that risk.
“I require something physical,” said Dunn. “I need the business leader to provide a DocuSign signature, which I can present to the CFO.” Frequently, this requirement is enough to get the business leader to back down. “I can’t think of a single time where I escalated the issue and I wasn’t able to get it turned around,” she added.
Partly, but not wholly, this success will be down to the stronger hierarchical status enjoyed by a CISO/CIO over the CISO alone. The mission critical nature of IT for all modern businesses gives the CISO greater access to the CEO and the board through the CIO role than is usually available to security alone.
Hanson has similar pressures from business leaders seeking performance over security and has a similar solution. “There are times when you get pressure from other executives who want to remove certain security controls, demanding the most efficient IT processes possible.” Sometimes, the answer is simply, ‘No, absolutely not’.
“But a lot of security decisions live in a land of gray,” she continued. “Here, my role is to fully articulate the risk and how it might impact the business so that my peer executive understands.” If the peer accepts the risk and still insists, he or she must document acceptance on a risk ticket. Those risk tickets are regularly reviewed because a company’s risk tolerance changes over time.
The obvious example is the startup, whose risk tolerance during its growth phase is likely to be higher than an established company. But tolerances can go up or down. “Every year,” said Hanson, “we reevaluate the tickets to see if the risk still makes sense, or if something has changed where we need to go back and add in the mitigation controls.”
Ethical issues over risk acceptance
Dunn gives an example of some of the ethical issues that might arise in risk acceptance. In a previous life, when just the CISO, her company had a supply chain where third-party vendors provided goods for resale. One was offering goods at such a heavy discount that she looked more closely at the company concerned – and she didn’t like what she saw.
She had to lay out her concerns for the CEO, which included third-party cybersecurity risk from the supplier over poor security practices, and the potential to harm her own company’s customers through the discounted products. Her case was strong, but it had to be strong enough to deflect the profit motive for the business.
She raises another ethical issue. What can or should the CISO do if he or she discovers the company is mishandling or wrongfully collecting customer information? Even worse, what should she do if senior management asks her to look the other way, for good business reasons?
An interesting area is staff recruitment. Should a CISO/CIO recruit different people for the different roles? IT and cybersecurity, at the engineer level, are completely different functions – but the skills gap applies to both areas. One difference is that IT can be and is taught in schools. This is not so easy for cybersecurity, where the skills are mostly and best learned ‘on the job’. But there is also a difference in psychological skills, which can be described by the statement, ‘IT is a science; cybersecurity is an art’.
Hanson tends to recruit horses for courses. “I think the security mindset is different to the IT mindset,” she said. “On a couple of occasions, I’ve had IT people raise their hands and say, ‘I want to do security’.” But it didn’t work, and they had to move back.
“I think I’m learning that traditional IT practitioners generally focus on a more black and white world. They tend not to operate so well within the shades of grey and shades of risk analysis. They also like the idea of taking on a task and finishing that task. On the security side, I’ve found that practitioners are much more comfortable living in aspects of gray, and are comfortable with never, ever finishing a task.”
Dunn takes a different approach. She may eventually choose to place a recruit into a particular role, but to begin with she is more interested in the person than any prior experience or specific qualifications. “I’m more concerned with whether I can build and evolve that person,” she said. “I’m looking for that glimmer of curiosity, that evidence of the candidate being a self-starter and self-educator. These are the people I know will fit and work well in any team I build.”
We always ask our CISOs for the best advice they ever received, and what advice they would give now to new emerging leaders. It is often the same in both cases.
For Hanson, this advice was to be her own person: “Do what you want to do, and never let anyone say that’s not for you.” It’s advice that will resonate with any woman making a career in a male-dominated profession.
“I think being a woman and loving IT and technology and cybersecurity has not always been easy. When I was growing up, so many people and situations told me, ‘Hey, this isn’t a suitable space for you!’ Even my own family would say, ‘You’re into technology? That’s crazy!’”
But she had a mentor at high school who told her, “It doesn’t matter if you’re into this and enjoy technology and you enjoy doing things related to tech. Don’t ever let anyone tell you it’s not for you. If you find something that you enjoy doing, and you can make a career out of it, do it.”
That’s the best advice Hanson ever received and is the same advice she would give to anyone in any situation: ‘Be yourself’.
The advice Dunn would give is at a similar personal level – and would combine with Hanson’s: “Enjoy the moment. It’s what I would tell a younger version of me,” she said. “I was in such a hurry to get somewhere, I didn’t always enjoy where I was. Enjoy the journey you’re on. Enjoy your curiosity and being able to dig into things.”
And then she adds, “And the people you find on this journey. Don’t underestimate how important is to find people that you can’t wait to see on Monday morning because it adds to how much you enjoy your role and your job. Frankly, we’re all in different levels of chaos. But if you really enjoy the people that you’re in that chaos with, then it doesn’t seem that difficult.”
Finally, we asked our CISO/CIOs what they consider to be the biggest emerging cyber threats for the immediate future. For Dunn, it’s twofold. Firstly, it’s our growing reliance on open source code. Much of this code is maintained by very small teams, and sometimes just a single person. If a single maintainer is incapacitated at a critical moment, that could lead to big problems.
Her second concern focuses on current geopolitics, as highlighted by the Russia/Ukraine war. “We had this sort of tenuous agreement about what is and is not fair game for nation states in cyber – like attacks against critical infrastructure wouldn’t happen. Now we don’t know.”
Cyberwar changes the rules, but we’re not even sure what cyberwar is, nor whether we’re in the middle of one. The result is that we’re in a cyber age of uncertainty, but one that includes the potential for an increased level of aggressive attacks against critical infrastructures.
Such attacks are also Hanson’s concern. She’s worried about how easy it is for advanced criminal groups and nation states to steal data from critical industries. “So far,” she says, “we’ve been lucky and there’s been limited effect on our critical industries. But consider the effect of the Colonial Pipeline hack. It was somewhat isolated but the impact it had over the next six months was huge. Now imagine similar simultaneous attacks across multiple critical industries. It very quickly gets very scary.”
Related: CISO Conversations: Steve Katz, the World’s First CISO
Related: CISO Conversations: Netenrich, Malwarebytes CISOs Discuss Security Vendor CISOs
Related: CISO Conversations: Intel, Cisco Security Chiefs Discuss Making of a Great CISO
Related: CISO Conversations: The Difference Between Securing Cities and Businesses