Current Issue
JOnline
Past Issues
Journal Author Blog
Submit an Article
Advertise
CPE Quizzes
Current Digital Journal
Journal Mobile Apps
You must be logged in to post a comment to this blog.
ISACA > Journal > Journal Author Blog > Posts > CIO vs. CISO—Who Is the Bad Guy?

2/25/2013

CIO vs. CISO—Who Is the Bad Guy?
Eugene LidermanEugene Liderman

 

Trying to come up with new solutions for our public sector customers and then dealing with the information assurance community to get them approved has often made me feel like I have multiple personalities. Half of me cares about the user experience and productivity gains, while the other side focuses on how the solution complies with policy requirements. It can visually be described as this teeter-totter where security and usability go head to head.

Although this is a battle I fight in my head, in the corporate world, the battle is often fought between the chief information officer (CIO) and the chief information security officer (CISO). I often visualize some mythical battle between good vs. evil… But, who is the bad guy?

I could make arguments both ways.

CIOs are the good guys because they:

  • Bring in cutting-edge technology to the user community
  • Embrace the consumerization of IT and reduce total cost of ownership (TCO)
  • Advocate for better productivity and user experiences

CISOs are the bad guys because they:

  • Try to stifle innovation
  • Restrict adoption of new technology and inadvertently force users to bypass the current system and policy requirements

But, this can be turned on its head. Perhaps CIOs are the bad guys because cutting-edge technology could introduce new and potentially unknown risk to the infrastructure, and is sometimes unproven and unreliable. Perhaps CISOs are the good guys because they try to prevent exactly that.

Bring your own device (BYOD) is a great example of this. If you ask a CIO:  “What does BYOD mean to you?” They would likely answer:  “BYOD is the greatest thing ever! It increases user satisfaction and productivity, and reduces the total cost of ownership and overall spending.” If you ask the same question to a CISO, the response would likely be:  “Don’t you mean Bring Your Own Disaster! I’m not signing off on this data-leak-ready-to-happen scenario.”

Perhaps the best way to explain this is to relate it to the book Men Are From Mars, Women Are From Venus, as my wife described it to me. At the end of the day, these two roles and their respective personalities think differently, and that is not a bad thing. Depending on your role and your professional experience, you may side with one view or the other. I have personally dealt with both and my conclusion is that you need both the CIO and CISO carrying equal authority. They are the ying and the yang, and because of this, there are checks and balances in place that provide usable as well as secure and compliant solutions.

Read Eugene Liderman’s recent ISACA Journal interview:
Five Questions With… Eugene Liderman,” ISACA Journal, volume 1, 2013

Posted at 8:08 AM by Journal220 | Permalink | Email this Post | Comments (2)

Comments

Broken Market

It is all about risk appetite and tolerance in various scenarios.  No good guys, no bad guys, just a higher than previously experienced velocity of risk and higher corrosives if an entity is required to use new technologies to remain competitive in their type of industry. Same game but some more to the higher stakes tables.  May the best metrics and business case win. I would sacrifice soft dollar productivity or user satifaction for security posture if I had exposure that outweighed value.  I would take the opposite postion if the value proposition and risk exposure were reversed.
Patrick Lynch at 2/26/2013 8:32 PM

On same side of table

It would be better for boards to make them sit on same side of the table than opposite. At the end of the day organisation interests are best served by both. Having said that with ever changing technology CIO's are better placed take organisation to next level closely followed by CSO framing policies that adapt to changing technology than stifling it in the name of security
Vadiraj Joshi at 3/4/2013 9:11 PM