- CISO Series Newsletter
- Posts
- [08-27-24]--Well, I Think My Relationship With the CIO Improved When I Took Their Job
[08-27-24]--Well, I Think My Relationship With the CIO Improved When I Took Their Job
Aaron
August 27, 2024
CISO Series Podcast
Well, I Think My Relationship With the CIO Improved When I Took Their Job
The relationship between a CIO and a CISO can be fraught. Often this stems from the reporting structure of an organization, with CISOs reporting directly to the CIO. So how can CISOs help navigate what can be a frustrating relationship? How does that relationship change as organizations continue to embrace SaaS rather than more traditional IT?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is Ty Sbano, CISO, Vercel.
Perception is the reality for insider threats
Non-malicious insider threats occur all the time. It happens when employees work around bad technologies and processes. Discontent is different and can lead to eventual malicious threats. CISOs must care about employee perception and company culture because discontent can lead to increased security risks, noted Christopher Burgess in an article on CSO Online. That’s what the “chief” in the title means, you’re part of executive management. Ensuring employees feel valued and respected can prevent malicious actions. This starts with understanding the human element and maintaining empathy. More formalized tools like engagement and offboarding surveys can be part of the toolkit to gauge employee sentiment. Fostering a positive company culture and addressing root causes of discontent are critical for effective insider risk management and overall business resilience.
Coaching rather than shaming
Does using light-hearted methods to raise security awareness still count as shaming, or can it lead to improved behavior? Any security lapse should be seen as a coachable moment. What works best is reinforcing security policies through friendly reminders rather than punitive measures. Pranking employees for security lapses could damage trust, especially in larger organizations or with new employees. Instead, use non-invasive reminders, such as leaving a note when someone forgets to lock their screen. The goal is to be constructive while staying positive. It’s a gentle balance ensuring security training is effective without undermining employee morale.
Working to make DevOps redundant
Everyone wants to get security closer to development, but adopting DevOps into your security program requires shifting cultural perceptions. Security is not solely the responsibility of security teams but should be integrated into the DevOps function. Development teams should be accountable for maintaining security within their processes, supported by security teams as consultants. Ideally, the term "DevSecOps" is redundant, with a true integration moving security into a natural part of the development lifecycle, noted Santosh Kamane of RIVEDIX in an article on LinkedIn. Aligning development executives with security goals and building strong partnerships between security and development teams are crucial steps toward improving outcomes.
Fixing a strained relationship
Can a CIO and CISO live in harmony? The roles overlap in responsibilities, particularly in balancing compliance and operational goals. A productive relationship will see both positions as part of the same team working towards a shared mission. The tension comes from the reporting structure. Many argue that CISOs should report directly to the CEO to maintain the integrity of their role. The separation of CIO and CISO roles often stemmed from CIOs being treated as cost centers, leading to a focus on cost-cutting rather than governance, noted David Gee GAICD in a piece on CIO Online. The future will see a shift towards more integrated roles, with current CIOs and CISOs needing to adapt by focusing on data architecture and governance to stay relevant.
Listen to the full episode over on our blog or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.
Thanks to Nir Rothenberg, CISO, Rapyd for providing our “What’s Worse” scenario.
Thanks to our podcast sponsor, Backslash Security
Subscribe
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
Biggest mistake I ever made in security…
"One of the biggest mistakes was I was the head of security…first time head of security at a small company called Periscope Data, and I was running IT, trying to get permissions set up for a single user account for a test suite. Accidentally I disabled the entire G Suite for the entire company.
As a result, someone right next to me said, 'Ty, is there something wrong?' And immediately I saw our CEO walking towards my desk saying, 'Dude, what just happened?' And I’m like, 'I’ve just reverted everything, but I’ve tendered my resignation.' The look of disgust on his face and the panic that ensued, I had to immediately say, 'I’m only joking, but I apologize for disabling G Suite right now.'" - Ty Sbano, CISO, Vercel.
Listen to full episode of "Well, I Think My Relationship With the CIO Improved When I Took Their Job."
What Triggers a CISO?
"I know a number of my CISO colleagues, we always say, ‘Hey, go through my team.’ If my team thinks that your product is great and can help us, that they’re passionate about it, then, yeah, I want to hear what’s going on with it, too. But the pressure sales, that’s not going to work." - Sherron Burgess, CISO, BCD Travel.
Listen to full episode of "What Triggers a CISO?"
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
AMA!
I’m an Executive Recruiter for security professionals. Ask Me Anything.
Starting this month, CISO Series will be hosting a monthly "Ask Me Anything" (AMA) discussion right here on . The first one began this past Sunday, August 25th, 2024 and runs to August 30th, 2024, and it is titled, “I’m an Executive Recruiter for security professionals. Ask Me Anything.”
Super Cyber Friday
Join us Friday, 09-06-24, for “Hacking Tabletop Exercises”
Please join us on Friday September 6, 2024 for Super Cyber Friday.
Our topic of discussion will be “Hacking Tabletop Exercises: An hour of critical thinking about enhancing incident response readiness.”
Joining me for this discussion will be DJ Schleen, distinguished security architect, Yahoo and Christina Shannon, CIO, KIK Consumer Products.
It all starts at 1 PM ET/10 AM PT and then we roll over to our meetup portion on Discord. It’s a great chance to connect with the cybersecurity community.
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.