“The farmer and the cowman should be friends.”
These are lyrics from Rogers and Hammerstein’s Broadway musical “Oklahoma!,” first performed in 1943, and adapted to the silver screen in 1955. Having grown up and spent most of my life in Oklahoma, I am very familiar with this musical and have seen it performed many times. This song highlights a common conflict between farmers who want to enclose their crops with fences and cowmen who prefer to allow their cattle to roam freely over open ranges.
As a Chief Information Officer (CIO) with a background in software development, I have seen a similar tension between the CIO and the CISO (Chief Information Security Officer); it similarly applies between application developers or SaaS (software-as-a-service) implementors and the information technology security experts.
In each case, one side wants to focus on delivering value and functionality without being “fenced in” by security requirements. The other group wants to protect the company’s assets, intellectual property, and reputation, without having it exposed to unnecessary risks by the application team “cowboys.” I have witnessed this standoff first-hand throughout my career and have come to appreciate that both sides have valid arguments. I’m not sure if the farmers and the cowmen came to an agreement that made everyone happy, but I do know there are ways for CIOs and CISOs to achieve a strong balance of functionality and security.
The most important strategy is to have good open communication and collaboration between the CIO and the CISO. It should be communication and collaboration that focuses on the needs of the company, with each leader helping the other understand the benefits of what they are trying to achieve, and then finding a middle ground that provides optimal balance.
5 Ways a CISO Can Help a CIO Understand Cybersecurity Needs
- Build a strong relationship: It is important for the CISO and CIO to have a strong working relationship based on trust and mutual respect. This can help to foster a sense of collaboration and cooperation between the two roles. To help gain a comprehensive understanding of either role, consider additional training or continuing education. To better understand cybersecurity, I earned a certification called CEH (Certified Ethical Hacker). It might be equally beneficial for a CISO to gain knowledge in applications and software engineering.
- Communicate clearly and openly: It is essential for the CISO to clearly communicate the reasoning behind any security recommendations or concerns. This can help the CIO understand the importance of security and the potential consequences of ignoring these recommendations.
- Work together to find solutions: Instead of simply presenting problems, the CISO should work with the CIO to find solutions that meet the needs of both the business and security. This can help to ensure that the CIO feels like a valued member of the team and not an obstacle to progress.
- Emphasize the benefits of security: The CISO should emphasize the specific benefits of implementing strong security measures in terms of both reputation and financial impact. This includes protecting the company’s reputation and customer trust, as well as minimizing the risk of costly financial losses due to data breaches or cyber attacks, which can be in millions of dollars. By presenting these benefits in clear and specific terms, the CISO can effectively communicate the importance of security to stakeholders.
- Seek out opportunities for collaboration: The CISO should seek out opportunities for collaboration with the CIO, such as jointly developing security policies or working together on the selection and implementation of new technology.
5 Ways a CIO Can Help a CISO Understand the Benefits of New Technology
- Explain the business benefits of new technologies: Show the CISO how adopting new technologies can improve the company’s efficiency, productivity, and competitiveness.
- Demonstrate the potential risks of not adopting new technologies: Help the CISO understand the potential consequences of falling behind the technological curve, such as losing market share or missing out on new revenue opportunities. For example, Kodak failed to adapt to the advent of digital photography. As a result, it lost market share to digital camera manufacturers and ultimately filed for bankruptcy in 2012. That’s an extreme example but highlights how important it is to avoid technical debt.
- Provide examples of successful technology implementations: Share examples of other companies that have successfully adopted new technologies and the benefits they have realized.
- Involve the CISO in the technology selection process: Give the CISO the opportunity to participate in the evaluation and selection of new technologies, so they can be involved in the decision-making process and feel more invested in the outcome. Be sure to invite the CISO to technical working group meetings, vendor demonstrations, proof of concept evaluations, and steering committee meetings.
- Highlight the importance of risk management: Emphasize that adopting new technologies is not about eliminating all risk, but rather about effectively managing and mitigating risk to an acceptable level.
The CIO and CISO play critical roles in the success and security of a company, and it is essential that they work together to find a balance between the needs of the business and the need for security. By collaborating on the selection, use, and management of new technology such as cloud-based applications, the CIO and CISO can help ensure that these applications do not result in data breaches or other cyber security compromises.
Want more tech insights for the top execs? Subscribe to the CXO channel: