Why is the CIO-CISO dynamic strained?

McAfee CIO Scott Howitt wants his CISO to tell him when he's wrong — even if it's in front of the board.

"We're executives, they pay us a lot of money to maximize shareholder return. So let's have an open and honest conversation," said Howitt. "The CISO is meant to be there to enable and help the CIO move faster because he's going to put the guardrails up to keep him safe."

In an enterprise where every executive has competing priorities in deadlines, money and personnel, some CISOs and CIOs fight for equal shares.

CISOs are "sort of proxied away from the C-level stakeholders by the CIO," said Jeff Pollard, VP and principal analyst at Forrester. Because of this, CISO-like responsibilities often fall to the level of a VP or director, and "that's the start of the issue."

While 64% of CIOs say their role is expanding into cybersecurity, security management is expected to decrease 27% in the next three years, because CIOs are "devot[ing] less time to traditional functional responsibilities," according to a 2020 IDG study.

CIOs are responsible for IT infrastructure and digital competitiveness, so there might be cases where the CIO might feel disincentivized to prioritize security goals in favor of their goals, according to Pollard.

This is especially true when security budgets are a subset of IT budgets and CISOs report to CIOs. IT security accounts for 16% of overall IT budgets, according to IDG. After leading digital transformation, 31% of CEOs want their CIOs to upgrade IT and data security for better resilience, according to IDG.

If the CIO is "looking at budgets, and they're coming down to allocating the last little bit of that budget, maybe they assign that to IT instead of to security. And suddenly security's budget is just a little bit smaller than it would have been otherwise," said Pollard. "It's not to say that it's malicious, or it's intentional, but it is to demonstrate the fact that this is the way things occur."

"I said, 'Even if you feel like you need to go over my head to the CEO, go over my head if you think I'm not hearing you.'"

Scott Howitt

CIO and SVP at McAfee

When the CIO/CISO reporting or budget structure is in place, it can create a conflict of interest for CIOs and CISOs presenting to the board. Pollard had a client whose board asked the CIO to leave the room for the CISO's presentation "so that the CISO could air anything they needed to air."

While the intention was to hear the CISO outside the purview of the CIO, the unsaid question was really, "what if the CIO is the problem?" said Pollard.

It's a situation that perpetuates false transparency among leadership. "It was almost transparency theatre," said Pollard.

But the hierarchical power struggle between the CIO and CISO isn't felt in every company.

At McAfee, Howitt and CISO Arve Kjoelen work with the understanding that if one or the other does something "grievously wrong," they can raise a flag, said Howitt. "I said, 'Even if you feel like you need to go over my head to the CEO, go over my head if you think I'm not hearing you.'"

"The thing that gives me comfort around Scott, is he has been a CISO in the past," it's really a conversation about how both roles contribute back to the bottomline of the business, said Kjoelen. Having a foundational understanding between the CIO and CISO means "we don't have to spend precious time to get on the same page as each other, we can dive into what the issue is and resolve it," said Kjoelen.

Give and take

Reporting structures vary from company to company. A 2018 PwC study found it's common for CISOs to report directly to the CEO or the board as opposed to the CIO. Forty-percent of CISOs report to CEOs while 24% report to CIOs.

But moving the CISO away from reporting to the CIO has unintended consequences. "If you take the CISO out of the CIO [organization], they suddenly become one step removed from having a lot of insight into technology," said Pollard.

Samantha Ann Schwartz/Cybersecurity Dive, data from PwC

Companies may make the decision without fully realizing why it should even be done. One CISO was concerned he would lose insight if he wasn't reporting to the CIO and present in technology standup meetings, Pollard said.

Prior to joining McAfee, Howitt experienced a revolving door of CIOs at a former employer. "We swapped out CIOs every 18 months. I felt like I was going through a re-education process every time and they would always have different priorities" and it would lend itself to unstable cyber continuity.

By the time Howitt became CISO at MGM Resorts International, and he wasn't reporting to the same executive as his CIO, there were times "I would sequence faster than the CIO," he said, outpacing his IT counterpart.

Howitt reported to the CEO while his CIO reported to the COO. While the reporting structure gave Howitt a sense of freedom, when he and his CIO weren't moving in tandem, he questioned the benefit MGM was receiving.

Extending a hand

Pollard has found CIOs asking for CISOs with more strategic intent in recent research. CIOs are "coaching them on that and helping to elevate them, but the CISO isn't ready for it yet," said Pollard.

Thirty-eight percent of Fortune 500 companies didn't have a CISO, according to a 2019 Bitglass report. Only 4% of Fortune 500 companies recognize their CISO on their leadership pages.

As companies add a CISO role to the C-suite, CISOs will have more exposure to overall business goals and strategy. Headhunters for Fortune 100 companies are seeking CISOs because in some cases, they've hired chief risk or ethics officers to fill that cyber void, said Howitt. "I personally think cybersecurity should be part of a company's corporate social responsibility statement," because it speaks to a commitment of data protection.

The addition of more tech-facing roles in the C-suite is also indicative of how a company views its CIO. "I do think the role of the CIO is eroding a little bit when they're staying in their traditional sense," said Howitt. If the CIO works exclusively to maintain corporate IT, companies will adopt CTOs or chief digital officers too.

"The CIO shouldn't be the guy who is just fixing laptops. You should be looking at how we as a company make money and how can I bring my technical technology expertise to the table and help shift it so that we're doing it more efficiently," said Howitt.

For B2B enterprise companies, like McAfee, product security is the bottomline and foundation of revenue, and includes the CISO into revenue-based conversations. CISOs with this expectation have more visibility among leadership, according to Pollard.

In organizations where the CISO is less of a subordinate of the CIO and more of a peer, the CISO tends to take the shape of a transformational CISO, post-breach CISO or customer-facing CISO, according to Pollard. Each one of these "types" of CISO indicates the company has elevated security in reaction to an incident or security is inherently part of the product the business sells.

But if a CISO works in an organization that limits security as a purely technical and operational information security, "that is the type of organization where you need to have more visibility and more responsibility," said Kjoelen, especially with the pandemic upending traditional processes.