The evolving roles of the CIO and CISO [Q&A]
The relationship between an organization's chief information officer (CIO) and chief information security officer (CISO) has traditionally been somewhat at odds, since CIO's job is built around sharing information and the CISO's job is to secure it. Plus, the CIO was normally higher in the organizational hierarchy, which could also cause some tension.
But the relationship has evolved in recent years, to the point where the two positions are often more on par with each other. And with security's growing importance to the business (and the boardroom), the two jobs often share the same goals and responsibilities.
We talked with RingCentral's CIO, Ashu Varshney, and CISO, Michael Armer, about their respective roles and the key issues they are working on together.
BN: What is the main role of the CISO?
MA: I believe that the CISO/CIO relationship should almost be 'two in a box'. We both are highly dependent on each other to be successful. It is very rare that I can launch an initiative that does not involve the IT organization. They are key stakeholders. In turn, security has to be involved because the services we are building must be compliant, and they must be built out at acceptable risk levels and compliant with policy. So, there has to be this handshake.
There has been an evolution over the past five years, in my opinion. At one point, CISOs reported to the CIO and there have been cases where there are conflicts of interest. A case in point is cost pressure. CIOs are not measured on risk mitigation, so they are prepared to accept as much risk as required to meet budget targets. So, this idea that the CISO is now a peer of the CIO, and that they are independent to prevent conflicts of interest is important. There is a very tight partnership there.
This evolution, which is happening right in front of us, also affects liability for CISOs. They are in some cases facing criminal charges. They are on the hook, from an accountability point of view, at a much larger scale today than they were years ago. CIOs have a different responsibility, but they do not typically end up in legal jeopardy.
So, the roles are transforming, and they are changing not just from a responsibility point of view, but in terms of accountability.
BN: What is the main role of the CIO?
AV: I would put the overarching CIO strategic goals -- outside of security and privacy, which is a topic in itself -- into three major categories.
The first is application governance and rationalization. During the pandemic, there was a huge acceleration in digital transformation, but not necessarily a very structured acceleration. Most of the lines of business across enterprises were empowered to make their own decisions and their own investments regarding digital transformation. Most of it was great, but a lot of it was superfluous. Most CIOS across all sectors are looking at what they have, what different lines of business are using, and where are the redundancies. This is an opportunity to consolidate them and be able to drive a better margin for your business.
Number two would be artificial intelligence. I know the last several months have been very noisy, but what is very clear is that AI is mainstream now. The noise will die down, and true business cases will emerge out of it to advance businesses going forward.
Number three is the return to the office, which is still a bit of a controversial item to discuss. Most companies around the world are trying to figure it out, because the behaviors of employees have changed. The fact of the matter is that the work has changed. Hybrid is here to stay. It's going to happen in such a fashion that you would have to enable your workforce to work both at home and at the office and be able to do that without any kind of disenfranchisement. Your on-prem employees and your remote employees should both be first class corporate citizens.
BN: How do CISOs and CIOs work together on controlling costs?
AV: For every new acquisition, for every new renewal, the lines of business have to present their business case on how much they are investing, and how they have done the competitive analysis. They should know what other tools are available both inside as well as outside. Being able to justify their investment into that technology is number one.
Number two is license harvesting. During the pandemic everybody was investing heavily and the growth for most technology companies was exploding. People were hiring. The net result was that licenses have gotten oversubscribed because you used to have 1,000 agents, and now you have reduced your workforce to 400. You have 600 licenses that you are paying for that nobody is using. Even if you want to keep the application, you want to make sure that your license count is optimized.
The third thing is negotiation. The economy is turning for the worse, but vendors want to keep you as a customer. You do not need to renew with the same terms and pricing that you did a couple of years back. You can negotiate better terms.
BN: How do they work together on security?
AV: Mine is a little bit of a special case because I put together the security team at RingCentral. I was the acting CISO for the longest time along with everything else, so I am always very mindful about the security and privacy requirements.
That aside, one of the things you realize as you start moving up market is that security is not only meant for securing your network, it also becomes a sales-enablement tool. There are verticals -- healthcare, government and education -- where if you do not have a certain level of security investment, and have not invested in certain compliance programs, you will never break into those segments.
Because of its impact and the positivity that it brings to sales and your entire posture as a company, security is something I am very sensitive about. I always give 100 percent support towards everything that is meaningful for security.
MA: Yeah, I have always been of the opinion that security should be a strategic component of the business. We should not be a cost center. We have a primary responsibility to protect our customers and the business. But at the same time, there are services we can provide that can be truly enabling.
BN: How do CISOs, with the help of CIOs, act on global security and privacy laws, such as GDPR, HIPPA and the Security and Exchange Commission's recently passed rules on disclosing cybersecurity incidents?
MA: I support the regulations. I think disclosure is incredibly important. I believe that companies can benefit mutually from an overall risk mitigation point of view. If we had more information sharing ability, we could collectively respond better.
From a governance and oversight point of view, I have added a compliance component now that the [SEC] regulations are in place and can update the board on what our processes and procedures are on the accountability system to ensure that we are compliant. It has not been a big lift to retrofit our processes.
One of the areas that is going to need some attention and interpretation with legal is what constitutes an incident. That is a little bit ambiguous right now, and I personally think it is going to take some time for some of these regs to get fleshed out. I think the most important thing a CISO can do is connect with their legal organization and get aligned on legal's interpretation, because at the end of the day, legal is going have to defend the action.
Image credit: Wavebreakmedia/depositphotos.com