Build An Alliance With Your CIO
According to numerous global technology decision-makers we survey, cybersecurity is a top priority. Unofficially, though, from my own experience, and from the experience of almost every security professional I know, there is a problem.
Not only is this tension the cause of significant stress to CISOs and tech leaders (and their teams), but in any situation where you’ve got people busy fighting with one another and pointing fingers, then at a very practical level, the work is not getting done. In this instance, this work is the cybersecurity posture of the organization — it is taking a back seat as a result of these silos.
Why This Topic? Why Now?
This year, I published research that takes on a problem as old as time, or at least as old as cybersecurity: the silos that exist between tech and security teams.
We kicked off this research because we observed, through other research projects and from speaking to our CISO and tech exec clients, that this problem of silos between security and tech teams somehow took a southward turn in the last 18 months. It kept on getting mentioned in hushed tones on inquiries and guidance sessions as a reason for not being able to move to an agile environment, to obtain and report on meaningful metrics, or to execute on Zero Trust promises, as well as general ranting about “the other side.”
We observed that one significant factor behind the widening rift is reconfigured reporting lines — as recently as 2017, 60% of CISOs reported into technology, compared to 33% today. Before we dove into the solution, we wanted to be very clear about the root cause of the silos. In conducting this research, we decided to listen to the tech exec’s side — a side that many of us in security haven’t had the opportunity to explore in detail.
The learning was humbling: Few tech execs we spoke to reported positive relationships with their CISOs; most were lukewarm to outright hostile. The relationships fell into three categories: positive but conditional (better where the CISO reports into the CIO or the CIO coleads security and tech); neutral (with the CISO largely seen as technology-focused); or outright hostile.
There Are Different Sides To The Story
Tech execs told us that they contend with competing goals, a complete lack of pragmatism, and a “sky is falling” mentality from their security counterparts or direct reports. They mentioned that they feel criticized, as though they’re having dirt thrown at them or being told that their baby is ugly.
Conversely, they were not always aware of the challenges facing CISOs and security teams: the CISO Da Vinci fallacy, burnout, and talent gaps, to name a few. Motivations and past traumas don’t excuse anyone’s current behavior, of course, but understanding them gives you a different lens on their past and can help you work toward a better future.
How Do We Solve This? Can We Solve It?
Left unaddressed, negative dynamics will fester, causing serious personal, professional, and business harm to all involved. You can hope that these relationship problems will go away — or address them head on.
Clients can use our Security And Tech Trust Evaluation Tool to see if you need to build, repair, improve, or elevate your relationship with your counterpart and to operationalize seemingly nebulous and squishy concepts: empathy and trust. Luckily, we know from Forrester’s data-driven research into both empathy and trust that they are concrete and can be built up.
If you want to learn more about this topic, catch me at Security & Risk Summit in Baltimore in December. Come see how you can exercise empathy and make trust concrete in order to build an alliance between tech and security.