The relationship between the CIO and CISO is often seen as one that is complicated by conflicting priorities. CIOs are under pressure to drive business solutions faster than ever, so the risk mitigation that the CISO seeks to achieve often creates an imbalance between the two – security and business velocity at odds. Fortunately, as CISO at SailPoint, I find that things are quite nicely in balance and I enjoy a fantastic relationship in the area.
I’ll set the stage a bit for you. I’ve worked at SailPoint for over ten years. I wear two hats, CTO and CISO. Essentially, I’ve been the keeper of much of our security strategy as CISO and the driver of technology innovation as CTO. My combination title is an uncommon but advantageous one, requiring me to not only stay abreast and aware of new threats and attack vectors, but also help set the direction for future technology, products and services.
Kevin Hansel, our new CIO, has only been with the company for about six months. In Kevin’s past life, he managed IT at some very large companies (AT&T, Kodak, HP) and several small startups too. He has a wide range of experience across many different IT environments, allowing him to understand the value in a dynamic relationship with the CISO. He’s now running the IT show, but is also a big believer in security and knows from past experience what a great CIO/CISO relationship should be.
Kevin said it best himself, “Security rarely makes anyone’s job easier. By its very nature, it often creates obstacles or processes that make a user’s life more difficult. As technology leaders, our challenge is to make security as transparent for the business as possible,” That is fundamentally true. For security to be effective, buy-in needs to happen across the organization, and CIOs and CISOs must team up to make that happen.
In an effort to create a strong, symbiotic CIO/CISO relationship, Kevin and I narrowed down some of the key elements that allow us to closely align security, innovation and business velocity, to create a successful double act. Here are a few of the high-level memes that we often talk about:
For my part as CISO we should:
Go light on the FUD
Fear, Uncertainty and Doubt has long been the driver for security spending. As a CISO, your most effective card is too often FUD. But that doesn’t work for the business anymore. Everyone is getting owned, everyone is in the news and there’s just a certain fatigue with FUD as a driver. As a security industry we have to move towards empowerment, not power off. We need to point towards innovation, enhanced user experience and generally a more positive, contributory approach, leaving the FUD behind.
Start from the perspective that it’s not if, it’s when you’ll have an issue, and that detection and remediation are every bit as important as prevention. You have to invest in all three technologies and approaches, and do so evenly. If we can drive a healthy balance between prevention and detection, and place a high value on the process and capabilities that enable rapid remediation, we’ll be in much better shape when it does happen.
Know that complexity is the enemy of security.
It’s important to appreciate that everything is inherently insecure and that complexity (in people, process and technology) always creates a window for vulnerability and attack. As the respected security luminary Bruce Schneir said, “As systems get more complex, they always get less secure.” The more we can simplify a process or an application, the more likely we are to accurately secure it. Security itself is rarely a feature that the end user “buys” around. Most end-users will choose a complex feature over a simple security capability. There’s no shame in that. It’s just how things are. But, if we can bring together a little bit of simplification with the kinds of enhanced security that registers as a feature for the end-user, we stand a chance.
Kevin’s top three security priorities for the CIO:
Find the right balance
While the pressure to help transform and accelerate the business is greater than ever, CIOs must have a laser focus on balancing the needs of the business with the need for strong security. It’s not that you have to choose between one or the other. You must deliver on both. A strong CIO/CISO partnership coupled with a risk-based approach is critical to ensuring businesses focus their security resources in all the right areas.
Use innovation and creativity to reduce security friction
There are many ways to solve problems for security, and the easiest are often the brute-force, black-and-white solutions that can have a large impact on the business. What separates the best CIOs are those who use innovation and creativity to simultaneously strengthen security while minimizing friction at the same time. The benefits are three-fold: greater user buy-in, better security and reduced impact to business velocity.
Be a security champion, and build in security from the beginning.
CIO’s should champion security and build it into everything IT does from the very beginning. Security should not be an overlay or the CISO’s problem to solve. It must be a key IT architectural goal and core component of every process, system and application deployed. Designing strong security in from the beginning ensures a much more seamless alignment between the business and security in the end.