Trying to come up with new solutions for our public sector customers and then dealing with the information assurance community to get them approved has often made me feel like I have multiple personalities. Half of me cares about the user experience and productivity gains, while the other side focuses on how the solution complies with policy requirements. It can visually be described as this teeter-totter where security and usability go head to head.
Although this is a battle I fight in my head, in the corporate world, the battle is often fought between the chief information officer (CIO) and the chief information security officer (CISO). I often visualize some mythical battle between good vs. evil… But, who is the bad guy?
I could make arguments both ways.
CIOs are the good guys because they:
- Bring in cutting-edge technology to the user community
- Embrace the consumerization of IT and reduce total cost of ownership (TCO)
- Advocate for better productivity and user experiences
CISOs are the bad guys because they:
- Try to stifle innovation
- Restrict adoption of new technology and inadvertently force users to bypass the current system and policy requirements
But, this can be turned on its head. Perhaps CIOs are the bad guys because cutting-edge technology could introduce new and potentially unknown risk to the infrastructure, and is sometimes unproven and unreliable. Perhaps CISOs are the good guys because they try to prevent exactly that.
Bring your own device (BYOD) is a great example of this. If you ask a CIO: “What does BYOD mean to you?” They would likely answer: “BYOD is the greatest thing ever! It increases user satisfaction and productivity, and reduces the total cost of ownership and overall spending.” If you ask the same question to a CISO, the response would likely be: “Don’t you mean Bring Your Own Disaster! I’m not signing off on this data-leak-ready-to-happen scenario.”
Perhaps the best way to explain this is to relate it to the book Men Are From Mars, Women Are From Venus, as my wife described it to me. At the end of the day, these two roles and their respective personalities think differently, and that is not a bad thing. Depending on your role and your professional experience, you may side with one view or the other. I have personally dealt with both and my conclusion is that you need both the CIO and CISO carrying equal authority. They are the ying and the yang, and because of this, there are checks and balances in place that provide usable as well as secure and compliant solutions.
Read Eugene Liderman’s recent ISACA Journal interview:
“Five Questions With… Eugene Liderman,” ISACA Journal, volume 1, 2013