Opinion: Why A CIO Should First Be A CISO

Opinion: Why a CIO Should First be a CISO

Historically, IT was founded around two core competencies: hardware and software. In the 90s, companies in higher risk arenas began to also focus on cybersecurity. That trifecta forms the core we all use today.

Both a Chief Information Security Officer (CISO) and a Chief Information Officer (CIO) must understand how all IT works. This means how the programs are written, how the data is used, how the infrastructure communicates, and how the information is stored. Both need to ensure IT meets the organization’s needs and is aligned with business goals. But at the end of the day, CISOs and CIOs do very different jobs.

A CIO generally rises to the position of CIO by working in the software arena. These systems are the most visible within the business, which allows future CIOs to spend time with the rest of the organization, customizing the look and feel of applications, and eventually becoming the de facto face of IT. This is how many CIOs come to serve as a member of the leadership team.

The CISO is a more recently created role that tends to be more focused on security. As a result, most people tend to view the CISO as the person who says “no” or demands passwords be more complicated, and changed often. The board of directors sees the CISO when they need to be briefed on cybersecurity matters, but they typically aren’t part of day-to-day operational discussions.

What is the difference between a CISO and a CIO?

If a doctor were to tell the CIO they had cancer, the CIO would understand that the cancer needs to be dealt with. The CIO accepts the treatment but lacks the experience to know what the treatment will do to their body until it happens. Their response to the treatment is reactionary. The CISO, understands, and has experienced the effect of the treatment, and can prepare their body to better deal with the treatment before it happens.

Until recently, applications were not built with cyber, privacy, or compliance by design. Many legacy systems that do incorporate these elements by design still fall short of the current threat environment. Oftentimes, the updates to improve these applications are secondary to new features. The processes, software lifecycles, cyber requirements, compliance demands, and even how the programs must be installed, are not part of a CIO’s experience. They understand the need, but they don’t have the experience to understand the risk inherent to these items.

A typical CISO works across the trifecta. They have to understand how the software works to ensure that development and deployment is secure. They have to understand how the hardware communicates so the information flows can’t be intercepted. They need to understand how the data is stored, so it can’t be breached. Put another way, the CISO needs to consider all the elements the CIO does, along with privacy, protection, and all legal and compliance requirements.

Using Six Sigma to understand CISO vs. CIO

One way to frame this is through a cybersecurity framework called Six Sigma. If we use Six Sigma to frame the CISO/CIO paradigm (with gratuitous simplification), there are two ways to improve your organization. One is DMAIC (Define, Measure, Analyze, Improve and Control), which improves and secures an application or protocol that already exists. The other is DFSS (Designed for Six Sigma), which introduces a new product or protocol designed with Six Sigma in mind.

While this isn’t meant to be a Six Sigma primer, the concepts are important. Six Sigma gets its name because each level of improvement equals one sigma. Generally, by the time any process reaches six levels of improvement (six sigma), the cost of additional improvements (higher sigma levels) greatly outweighs the return from those improvements. An organization can only get to four sigma levels trying to improve something that already exists (DMAIC) before the inherent design flaws cannot be corrected. Designing from the ground up is the only way to reach six sigmas.

A CIO can help organizations improve what they have (and reach four sigma levels, typically), but the CISO can help organizations reach six sigma levels. And those two extra levels make a world of difference: If you don’t design your IT systems to deal with privacy, cybersecurity, and regulations, then you don’t understand the risks. And those risks can be costly – just ask Equifax. Hoping that your business won’t have an issue is not a plan. The data proves that all organizations will statistically have some level of security issue.

Cybersecurity must have a seat at the table

There’s one other key difference between the CIO and the CISO. The CIO has a seat at the executive table and does their best to represent the CISO there. But when the CISO is invited to brief the leadership on matters of cybersecurity, they must balance their comments between protecting the organization, and upsetting their supervisor, the latter of which can affect their performance reviews and bonuses.

Great leaders have many similar traits, but one that stands out is that they own their actions. If an IT Leader hasn’t been a CISO they simply cannot represent all facets of IT. Without proper guidance, how does the executive leadership evaluate the holistic process and associated risk to make a decision? Without this knowledge and forethought, the cost to make an organization compliant a few years down the road with another bolt-on will be higher and often reduces production while increasing risk.

The best leader is one who brings the greatest experience and skills to the table. This is always the CISO because they are the person whose role demands the most holistic view of IT.

That being said, I am not proposing that we eliminate the CIO. That isn’t the case at all. We need a dedicated IT leader and a dedicated cybersecurity leader in the organization. But, just as other types of operational leaders are required to have spent time in different parts of the organization, we must require the CIO to be a CISO first.

So why aren’t CISOs being considered for the CIO role? The key reason, in my opinion, is that in most organizations today, the CISO’s message is still being filtered, and the perception is they are the person that says “No”. No one wants the naysayer at the table. But that perception is wrong. We can look at businesses like Lockheed Martin, where cybersecurity is part of their DNA. And their CIO’s were CISOs first. When their CIO works with the rest of the organization, they understand the full breadth and depth of the risks that are being discussed.

Demand that your next IT leader has the experience of a CISO. And in the meantime, invite your CISO to sit at the table and make sure that they are incorporating their security experience into the foundation of everything your organization does.

About: Stephen Gilmer is an IT Professional who has traveled extensively domestically and internationally to advise clients on how to grow their business securely. He has worked with multiple government entities in his travels, with private and public companies, big and small. He enjoys public speaking, and helping companies learn how to make cybersecurity part of their DNA. Yes, his children think he says “no” too much.


Stephen Gilmer

Stephen Gilmer is a Certified Chief Information Security Officer (C|CISO) with more than 25 years of experience as a technical expert and executive leader focused on securing technology companies’ most sensitive and valuable data and systems. Stephen previously was in-house CISO at both a biotechnology startup and at two Fortune 10 aerospace, defense, and technology companies. In these roles, Stephen designed and implemented sensitive data and IP security control programs; shaped policy at the national level and security framework formation; and proactively resolved complex investigation, audit, and regulatory oversight issues.

Stephen is a Six Sigma Black Belt who led the transition of the IT infrastructure of a private start-up to address the regulatory and operational requirements of becoming a publicly-traded company. As a CISO executive in an aerospace defense company subject to a consent agreement with the United States Government, Stephen also led global cyber investigations, risk analysis, engagement, and mitigation controls necessary for the organization to successfully navigate oversight requirements and re-establish credibility with Government customers. Concurrently, Stephen built and led the cyber security components required to support winning and executing multi-billion dollar government contracts.

Stephen frequently speaks at global cybersecurity conferences, publishes articles on the business necessity of proactive cyber risk management, and advises on and conducts cybersecurity education / training for corporate leadership including the Board of Directors, the C-Suite and Compliance Officers.

Leave a Reply

Back To Top