BreachExchange mailing list archives
Why Do So Few CISOs Become CIOs?
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 19 Oct 2020 09:33:24 -0500
https://www.forbes.com/sites/peterhigh/2020/10/19/why-do-so-few-cisos-become-cios/#7f842129362c Very few chief information security officers have risen to the ranks of chief information officers. On the one hand, it would seem like a logical progression. CISOs historically have reported to CIOs. The importance of their roles has grown tremendously as the threat landscape has done the same. Also, as security has risen to a board-level concern, CISOs are often asked to speak before the executive team and board, underscoring the importance of the discipline, while also raising the profile of the executive. So why has this not been a greater pathway? First, as CIOs must focus increasingly on innovation, which is about risk taking, CISOs manage or mitigate risk. That is not to say that there is not profound innovation that CISOs can undertake on behalf of their companies, but this focus has been a limiting factor to these executives’ rise, nevertheless. Additionally, security roles can be siloed relative to other roles in information technology, and the lack of leadership roles across IT can be viewed as another limiting factor. On the positive side for CISOs, they are increasingly set up as peers to CIOs in a number of companies with the growing importance of security and the increased cases of breaches across a wide array of companies. One example of a CISO who have risen to the CIO role are Wafaa Mamilli, who is the Executive Vice President and Chief Information and Digital Officer of Zoetis Inc., the largest global animal health company. Mamilli was the Global CISO for Eli Lilly for three years through February 2016, when she was promoted to the role of Global Chief Information Officer, Business Units at Eli Lilly. Another example is Jason Ruger, who simultaneously has the title of global CISO of Lenovo, while also serving as CIO of the company’s Motorola business unit. When asked about how she navigated the pathway from CISO to CIO, Mamilli noted that focusing on enabling business strategy has been key. “Throughout my career, I always made sure to position whatever role I had in the context of the business strategy and outcomes we aspire to achieve,” she said. “This led me to be a continuous student of the business and the technology at the same time. Magical things happen at the intersection of fields.” She noted that her role as CISO was a “happy accident” of sorts, though she is happy she had those responsibilities. “My company entrusted me with the role with no experience at all in information security, she said. “I know that this was because of my deep understanding of the business and credibility in a variety of roles around the globe and the Technology function.” She believes that the role of CISO was the best learning opportunity for her, and both the steep learning curve and the intensity of the experience prepared her for the broader responsibilities she now has. In Jason Ruger’s dual role, he must balance the CIO’s desire to collect as much information from as many different sources as possible to build insights with the CISO’s responsibility to separate those different sources to not allow views across multiple data sources that would result in lateral movement and increased risk. “The more data we have or that our customers choose to share with us, if they opt in from a privacy standpoint, the more of a liability it creates for the company,” said Ruger. “From the CIO standpoint, the more data we have that our customers share with us or the more data we collect from a manufacturing line to know exactly what machines soldered the specific part onto a device from a quality standpoint, the better decisions I can help the company make as CIO.” Mamilli believes that the CISO role requires putting the business context at the center of the thinking process all the time. “Balancing security with convenience while enabling the relevant innovation at the right pace is critical to be an executive that gets to “yes” rather than being a “no” all the time.” In her current role, she draws upon the thought process that once dominated her responsibilities. “In my current CIDO role, I have a deep appreciation of the technology risks, the need for security by design as well as upskilling the teams to really make security and risk management everyone’s job,” she noted. Ruger finds that holding this dual role helps him better understand the need to find alignment on what parts of the business are most important to protect from a cybersecurity standpoint and also what parts of the business are most important to invest in. He also finds that from a CISO perspective, having both roles helps him better understand sometimes opposing direction from the CIO with regards to which systems to prioritize from a cost perspective. “As a CIO, I understand the pressure that CISOs put on CIOs. CIOs typically are under a lot of cost pressure; we have a hybrid mix usually of on-prem [compute] and cloud. Those systems are not always patched as frequently as we would like. We cannot get the downtime, we do not have the resources, etc. From a CISO standpoint, it helps me understand from the CIO's perspective that we need to prioritize which systems we need to patch. We need to prioritize what monitoring and layers we put on so that we do not treat all data as the same.” Mamilli, for one, believes that more people should have a stint at CISO on their path to becoming CIO, as it is a critical skillset that is not going to diminish anytime soon. “I strongly believe now that security and risk management acumen are must have in any c-level executive position leading technology and digital,” she said. “This acumen can be acquired through rotational experiences. I would highly recommend including a security role assignment in the career plan of any aspiring to be CIO, CIDO.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Why Do So Few CISOs Become CIOs? Destry Winant (Oct 19)