Maximizing the CIO/CISO Relationship
Govciooutlook

Maximizing the CIO/CISO Relationship

Thomas Gresham, Assistant Director, General Services Department, County of Santa Barbara

Thomas Gresham, Assistant Director, General Services Department, County of Santa Barbara

Thomas P. Gresham, Assistant Director within the County of Santa Barbara, discusses how to generate the best outcome from the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) relationship.

Reporting Structure

Traditional organizational frameworks place the CISO position as a direct report to the CIO. This structure has been challenged in recent years with the increasing importance of cybersecurity risk management. With the cyberspace threat landscape  increasing, the CISO has been tasked with managing risk from multiple sources to include: legal/regulatory, business continuity, revenue loss, reputation, etc. Similarly, the technical scope is also increasing with the interconnectivity of industrial control systems such as building climate controls and physical security systems. Given this level of responsibility and oversight, the CISO should report directly to the CEO in order to effectively influence lines of business as well as have a direct communication channel to C-suite. 

Different Missions

The CIO and CISO often have different missions and perspectives on how IT is to be treated in terms of funding, program management, and strategic vision. The CIO provides strategic leadership and oversight for IT systems, processes and personnel that enable the organization’s core mission. It is the responsibility of the CIO to lead IT staff, innovate and maintain budgets. The CISO is focused more on managing risk in terms of how information and services are delivered. Priorities will differ and it is for this very reason that the CISO should not report directly to the CIO as it would compromise the CISO’s ability to operate independently without undue influence.

Gained Synergies

Having served in both capacities, I have learned that both missions can work hand-in-hand in a mutualistic relationship. When the CIO and CISO are peers reporting to the CEO, funding sources and missions can be defined and applied to where little conflict arises. The CIO is given a budget to maintain, grow and transform the business through innovation, automation and other activities directly tied to enabling organizational business goals. The CISO requires a separate funding source as his/her mission entails ensuring risk is properly managed to a level commensurate to the value of the information, service or asset. Managing the risk to an organization should be funded through a fund outside of the CIO’s IT capital and operational budgets as risk management is akin to safety, insurance and other more traditional risk management functions. This CISO budget can then be tailored specifically to the level of risk the organization is willing to accept.

" When the CIO and CISO are peers reporting to the CEO, funding sources and missions can be defined and applied to where little conflict arises "

The CIO should embrace opportunities to strengthen IT services through the application of proper security measures as this not only increases resiliency but also demonstrates due diligence in the event that a breach and subsequent lawsuit ensues. Similarly, CISO-driven audits and checks are opportunities for the CIO to draw attention to needed improvements in IT services.

Final Thoughts

The CIO and CISO are not in competition for resources as the focus area differs for each mission. Conversely, both roles are interdependent and are a partnership in delivering IT services that enable the business and at the same time, provide appropriate security and resilience. CEOs that recognize and appreciate how this relationship can bring the best value to an organization will offer both the CIO and CISO equal seats at the table.

Weekly Brief

Top 10 Citizen Relationship Solution Companies - 2019

Read Also

San Francisco's Digital Equity PlanAdapts with Coronavirus

San Francisco's Digital Equity PlanAdapts with Coronavirus

Linda Gerull, CIO and Executive Director of the Department of Technology for the City and County of San Francisco
Building A

Building A "New Better" - Not A "New Normal" - With Government Digital Services

Ted Ross, Chief Information Officer, City of Los Angeles
Smart Community Innovation For The Post Pandemic

Smart Community Innovation For The Post Pandemic

Harry Meier, Deputy CIO for Innovation, Department of Innovation and Technology, City of Mesa
The Road to Modern Governance

The Road to Modern Governance

David J. Elges, Chief Information Officer (CIO), City of Boston
The Evolving Face of the Corrections Industry

The Evolving Face of the Corrections Industry

Harold Sass, Chief Information Officer, Kansas Department of Corrections
Covid-19 Is Accelerating Digital Transformation in The Public Sector

Covid-19 Is Accelerating Digital Transformation in The Public Sector

Jonathan Behnke, Chief Information Officer, City of San Diego