In a recent analysis, I referenced the song “The Farmer and the Cowman” from the musical Oklahoma to describe the sometimes tenuous relationship between a CIO and CISO, particularly in the context of balancing functionality and security. I suggested that open communication and collaboration are key to finding the optimal balance. Now, I’d like to present a framework for getting the most out of those strategies.
1. Assess the Current State
The CIO and CISO should evaluate the IT infrastructure, cybersecurity posture, and existing policies, taking into consideration the unique requirements and challenges of the industry. Identify strengths, weaknesses, and areas of improvement. For my company, this includes assessing the security of manufacturing systems, data storage, and access control measures. An effective way to do this is through a joint risk assessment. Focusing on areas such as industrial control systems (ICS), network infrastructure, and intellectual property protection to identify strengths, weaknesses, and opportunities for improvement.
2. Define Shared Objectives
Work together to identify and agree upon shared objectives that serve the company’s overall goals. These objectives should focus on enhancing security, improving IT efficiency, and enabling business growth. For a manufacturing company, it might mean enhancing manufacturing efficiency, reducing downtime, and protecting sensitive data. One specific project could be to work together to implement a secure cloud-based solution for managing the company’s production data, with the goal of reducing on-premise infrastructure costs and ensuring data protection.
3. Prioritize Initiatives
Collaboratively prioritize initiatives based on their potential impact, feasibility, and alignment with shared objectives. In manufacturing, this often requires considering the potential impact on production efficiency, data security, and compliance with industry-specific regulations. A typical project for my company might be to prioritize the implementation of multi-factor authentication for remote access to the company’s network and production systems, as this measure can significantly enhance security without disrupting operations.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
4. Develop a Strategic Roadmap
Once the shared objectives and priorities are established, CIOs and CISOs should work on a strategic roadmap that outlines the steps required to achieve their goals. This document should be regularly reviewed and updated to ensure that it remains relevant and effective. Be sure to include timelines for implementing new technologies, security measures, and process improvements. The roadmap could include milestones such as upgrading ICS security, implementing secure remote access solutions, and adopting a more robust data backup and recovery strategy.
5. Establish Governance Structures
Outline the roles and responsibilities of each executive and their respective teams. This will help to ensure accountability and facilitate collaboration between IT and security functions. The governance structure could include a joint steering committee with representatives from both IT and security departments, responsible for overseeing the implementation of shared objectives and ensuring alignment with the company’s overall strategy. In my company, the steering committee also includes the CFO, the general counsel, and the operations director.
6. Communicate the Vision
The common vision should be effectively communicated to stakeholders, including employees, partners, and customers. This can involve presentations, meetings, and written communications such as internal newsletters or blog posts. In my company, we have periodic town hall meetings, which offer good opportunities to present a strategic roadmap, highlighting the proposed initiatives and soliciting feedback.
7. Encourage Feedback and Input
Ask and facilitate input from employees and other stakeholders to ensure that the common vision remains relevant to, and reflective of, the organization’s needs. This can involve soliciting feedback through surveys, focus groups, or one-on-one meetings. I’ve found that people throughout the organization are much more likely to support initiatives, particularly around security concerns that may limit their ability to do their job, when they have been included in the conversation throughout the process. You may also find that your plans will create unnecessary hardships for employees, and that these difficulties can be resolved with minor changes.
8. Measure Progress
Establish key performance indicators (KPIs) to measure the progress toward the shared objectives. This might include such statistics as the percentage of systems with up-to-date security patches, the number of security incidents, and the time taken to resolve IT issues. The CIO and CISO could jointly review the KPIs on a quarterly basis, discussing any deviations from the targets and identifying areas for improvement.
9. Adjust and Adapt
Regularly review and adjust the common vision as needed, based on changes in the organization’s environment, emerging technologies, or new cybersecurity threats. This will help to ensure that the vision remains relevant and that both executives can continue to work together effectively. You might hold annual strategy meetings to review the strategic roadmap, discuss emerging trends in the industry, and identify opportunities for further collaboration and alignment. I find that creating recurring reminders in our ticket system helps me to remember to schedule these important meetings that happen only once or twice a year.
In conclusion, establishing a strong working relationship between the CISO and the CIO is crucial for the overall success and security of a company. Following this practical framework will enable CISOs to engage with CIOs more effectively, fostering a productive and cooperative environment that ultimately benefits the entire organization.
This article has been updated since it was originally published on May 3, 2023.