“CIOs and CISOs Can’t Be Strangers” was the title — and the message — of a breakout session during last week’s California Virtual Public Sector CIO Academy. The panelists were state Chief Technology Officer (CTO) Liana Bailey-Crimmins; Covered California Chief Information Officer (CIO) Kevin Cornish; state Chief Information Security Officer (CISO) Vitaliy Panych; San Joaquin County CIO Chris Cruz; and Srini Subramanian, principal with Deloitte Risk and Financial Advisory. Moderating the breakout was Paul Kaufman, technical services section manager for the state Franchise Tax Board.
“I bring a unique perspective,” said Bailey-Crimmins, who was named state CTO earlier this month. Before that appointment, Bailey-Crimmins had served terms as CIO and CISO for the California Public Employees Retirement System. “I’ve been lucky enough to look (through) both lenses. I would say that CIOs and CISOs are two sides of the same coin. There’s probably not two positions that are more critical that they collaborate and partner, and if they don’t, there are dire circumstances across an organization,” she added.
“The CIO looks at the world from (a perspective of) innovation, optimization, operationalizing the mission when it comes to establishing a business strategy,” Bailey-Crimmins said. “When it comes to the CISO, we look at it from the same perspective, but we look at it from detecting, preventing, responding to threats to that same environment. So I would say it’s extremely important that they collaborate, that they communicate, that they are seen by the executive body as one, because as you implement technology changes, you want to make sure you’re doing it in a secure manner.”
Panych, who has almost 20 years’ public- and private-sector experience in cybersecurity, agreed that CISOs are “tied at the hip” with CIOs and noted that both have a stake in successfully defending government from cyber attacks. Panych said, though, that responsibility for cybersecurity doesn’t begin and end with the CISO. Rather, he said, there’s “risk at every level” of an organization.
Bailey-Crimmins contrasted the roles — the CIO has a larger budget than a CISO and, thus, more responsibility but also more opportunity to allocate resources to innovation. But the CISO and the cybersecurity apparatus aren’t just an insurance policy for the CIO’s agenda, she said.
“You’re jumping out of a plane,” she said. “It’s not a matter of if, but when. Do you want the NASA version of the parachute, or do you want the Dollar Store version of the parachute?” Both the CIO and CISO roles are very important, she said, but they “must work hand in hand.”
Panych said that while developers and others may see the expansion of innovation service delivery and public services as the main outcome of innovation, security specialists see that service growth as “expanding our attack surface … more opportunities to get into an organization, exploit an application, a business process, conduct fraud, all those bad things that we deal with from an incident-response perspective.”
But, Panych added: “At the end of the day, we have to speak the same language, as far as the mindset of a CIO and a CISO — understand the strategy, where are we going, what’s our bottom line, what business are we in? … If we (CISOs) hamper innovation or service delivery by impeding certain security controls, then we’re being counterintuitive to the bottom line, to the business.”
Kaufman, the moderator, asked the panelists to outline the most common areas of contention between CIOs and CISOs.
Panych cited communication, saying each must understand the other’s role. “Be on the same page, be tied at the hip and speak the same language.”
Bailey-Crimmins said: “There’s going to be times when the CIO and the CISO disagree, and that’s OK.” But, she said, it’s important that both sides agree on “the rules of engagement.”
Cornish of Covered California said disagreement between a CIO and a CISO isn’t always a bad thing.
“It leads to better decisions, right? You bring that divergence of perspectives forward. I also think that these two roles are kind of converging. A legacy CIO was basically a service provider, a utility player. And I think the CIO has become more of a strategic enabler today — you get called into strategic decisions that aren’t always about technology. And I think in a similar way, the CISOs were typically the traffic cop who said, ‘Stop, don’t do that, risk ahead.’
“And I think CISOs are becoming more business consultants now, saying: ‘There’s a couple of ways to do something, and I’m going to tell you about the perils that might be associated with each. I’m going to let you make a good business decision informed by my security knowledge.’ And I think that convergence is really important for both.”
Cruz, the San Joaquin County CIO and IT director, also sees a need for humility among occupants of the C-suite.
“I think this is about checking your ego at the front door,” said Cruz, who was deputy state CIO and chief deputy director of the California Department of Technology before taking the San Joaquin County position in 2019. “The CISO and the CIO have to work together to effectuate policy change within all branches of government. This is really important. How you present information — I would say it’s a vehicle in which you deliver information. It’s the correct posture because cybersecurity is our new World War III, and we have to take it seriously, and we have to work together to ensure that there’s a single pane of glass across the enterprise for our respective organizations.”
Cruz added: “We can agree to disagree at the end of the day, but whatever decision we make, we’ve all got to get in the boat and row in the same direction.”
Subramanian, who co-authored a cybersecurity study for Deloitte and the National Association of State Chief Information Officers, said, “CISOs need to be enablers of innovation, not a barrier.”
Subramanian added: “For good or bad … there is a reputation that you bring a CISO into a room with business leaders, and they’re going to find 20 reasons as to why a particular innovation cannot happen, because of the risk. But we put that consciously up front as enablers of innovation, because that is one recipe to getting a seat at the table, to say, ‘Yes, we can do this innovation, and this is how you mitigate the risks. …”
Subramanian also contrasted the priorities of many state-level CISOs — “audit logging, security operation centers and so forth,” while private-sector CISOs, particularly those in financial services, “they are talking about top cybersecurity investment priorities being cloud, data analytics and robotic process automation.”
Bailey-Crimmins added: “The day of the Chief No Officer is gone, and the CIO role has evolved faster in being a trusted adviser and strategist than the CISO. The CISO is coming up to speed and we’re seeing more of that, where it’s about what risk appetite do we have and how do we manage the risk? Both of them have to be strategists. … The CISO really does need to start having those more strategy-related discussions with the enterprise.”
