Maximizing the CIO/CISO Relationship
Govciooutlook

Maximizing the CIO/CISO Relationship

By Thomas Gresham, Assistant Director, General Services Department, County of Santa Barbara

Thomas Gresham, Assistant Director, General Services Department, County of Santa Barbara

Thomas P. Gresham, Assistant Director within the County of Santa Barbara, discusses how to generate the best outcome from the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) relationship.

Reporting Structure

Traditional organizational frameworks place the CISO position as a direct report to the CIO. This structure has been challenged in recent years with the increasing importance of cybersecurity risk management. With the cyberspace threat landscape  increasing, the CISO has been tasked with managing risk from multiple sources to include: legal/regulatory, business continuity, revenue loss, reputation, etc. Similarly, the technical scope is also increasing with the interconnectivity of industrial control systems such as building climate controls and physical security systems. Given this level of responsibility and oversight, the CISO should report directly to the CEO in order to effectively influence lines of business as well as have a direct communication channel to C-suite. 

Different Missions

The CIO and CISO often have different missions and perspectives on how IT is to be treated in terms of funding, program management, and strategic vision. The CIO provides strategic leadership and oversight for IT systems, processes and personnel that enable the organization’s core mission. It is the responsibility of the CIO to lead IT staff, innovate and maintain budgets. The CISO is focused more on managing risk in terms of how information and services are delivered. Priorities will differ and it is for this very reason that the CISO should not report directly to the CIO as it would compromise the CISO’s ability to operate independently without undue influence.

Gained Synergies

Having served in both capacities, I have learned that both missions can work hand-in-hand in a mutualistic relationship. When the CIO and CISO are peers reporting to the CEO, funding sources and missions can be defined and applied to where little conflict arises. The CIO is given a budget to maintain, grow and transform the business through innovation, automation and other activities directly tied to enabling organizational business goals. The CISO requires a separate funding source as his/her mission entails ensuring risk is properly managed to a level commensurate to the value of the information, service or asset. Managing the risk to an organization should be funded through a fund outside of the CIO’s IT capital and operational budgets as risk management is akin to safety, insurance and other more traditional risk management functions. This CISO budget can then be tailored specifically to the level of risk the organization is willing to accept.

" When the CIO and CISO are peers reporting to the CEO, funding sources and missions can be defined and applied to where little conflict arises "

The CIO should embrace opportunities to strengthen IT services through the application of proper security measures as this not only increases resiliency but also demonstrates due diligence in the event that a breach and subsequent lawsuit ensues. Similarly, CISO-driven audits and checks are opportunities for the CIO to draw attention to needed improvements in IT services.

Final Thoughts

The CIO and CISO are not in competition for resources as the focus area differs for each mission. Conversely, both roles are interdependent and are a partnership in delivering IT services that enable the business and at the same time, provide appropriate security and resilience. CEOs that recognize and appreciate how this relationship can bring the best value to an organization will offer both the CIO and CISO equal seats at the table.

Weekly Brief

Top 10 Citizen Relationship Solution Companies - 2019

Read Also

Adapting to New Challenges with Adults in Custody

Adapting to New Challenges with Adults in Custody

Derrick Peterson, President of the NW Chapter of the National Organization of Black Law Enforcement Executives (NOBLE) & Captain of Auxiliary Services Unit, Multnomah County Sheriff’s Office
The Jail Officer and CIT

The Jail Officer and CIT

Major Charles E. Armstrong, Director of Operations, Riverside Regional Jail
Guiding Individuals with Community Corrections

Guiding Individuals with Community Corrections

Maureen Anderson, Probation/Pretrial Manager, Prince William County Government
Leveraging Data to Design More Effective Transportation Programs and Drive Project Productivity

Leveraging Data to Design More Effective Transportation Programs and Drive Project Productivity

Rob Tieman, PE, PMP, Director, Project Management Office, Virginia Department of Transportation
Getting Smarter about Running an Agile Government: AI and the Next Wave of American Innovation

Getting Smarter about Running an Agile Government: AI and the Next Wave of American Innovation

Tim Persons, Chief Scientist and Managing Director, Science, Technology Assessment, and Analytics, United States Government Accountability Office
Transitions are Messy and the Transition to Cooperative Automated Transportation is Just Beginning

Transitions are Messy and the Transition to Cooperative Automated Transportation is Just Beginning

John Hibbard, Division Director of Operations, Georgia Department Of Transportation