Communication and people skills separate technicians from leaders in the CIO chair.
Source: WSJ CIO, 6/22/16 by Ken Porrello / Khalid Kark, Deloitte Consulting
Why do some CIOs readily adapt and excel more than others in today’s fast-changing, tech-fueled environment? CIOs themselves may help to provide the answer. In Deloitte’s CIO Program survey, 1,271 respondents were asked to identify the characteristics of a successful technology leader and then to list their current strengths. They overwhelmingly chose five characteristics (Figure 1).
However, only 9 percent of respondents credit themselves with all five of these characteristics. (Survey respondents overall get points for honesty and self-awareness.) As one CIO put it, “If there weren’t such a dearth of these qualities in the technology space, they wouldn’t be considered so important.” The gap between the characteristics CIOs identify as necessary for success and those they attribute to themselves was greatest in three areas: ability to influence internal stakeholders; attracting, retaining, and motivating talent; and technology vision and leadership.
These three gaps, collectively, point to a bigger issue for CIOs—a lack of social intelligence. Social intelligence is a commonly used term to describe the capacity to effectively navigate and negotiate complex social relationships and environments. For our purposes, we’ve extended that definition to include the three critical but often missing attributes CIOs need to succeed.
How much does social intelligence matter for CIO success? A lot, it turns out. In working with newly appointed CIOs, we ask their business stakeholders (more than 200 to date) to define their expectations of the new CIO. The ability to attract, retain, and motivate talent and the ability to influence stakeholders—two of the three capabilities embodied in social intelligence and acknowledged as gaps by CIOs—topped the stakeholders’ list of expectations. Yet, despite a clear need to address their social intelligence gaps, many CIOs lack a coherent plan for doing so.
Becoming a Socially Intelligent CIO
What does it take to actually become a socially intelligent CIO? Our interviews with CIOs who fit the definition uncovered three major steps:
1. Become politically savvy. Most successful CIOs understand the politics of their role and organization and can navigate it to their advantage. They have a comprehensive grasp of the implications of their actions and are capable of analyzing the political culture and circumstances associated with the issues they face. They then can quickly identify the strategic relationships needed to attain their objectives. To enhance this know-how:
– Form coalitions and alliances. Success in any C-suite role depends on executive support. Establishing alliances, courting stakeholders, and developing strong advocates is essential to ultimately getting buy-in and backing.
– Use empathy to overcome resistance. Every business leader has an agenda, priorities, and goals. Take the time to understand and acknowledge these, or expect to be met with resistance. One CIO tells all his newly hired direct reports to spend their first two weeks reaching out to 30 business stakeholders to understand their performance goals and success measures before discussing technology.
2. Build a brand, not just an organization. Branding is an important tool for building trust and credibility with business stakeholders and aligning technology resources under a set of common beliefs. A brand promise allows the CIO and the IT organization to make conscious choices and investments to fulfill promises to stakeholders. Start by:
– Carefully defining cultural norms and expectations. Issuing edicts is easy; building, nurturing, and reinforcing behaviors to align with the culture is hard. One CIO encourages high performance as a cultural attribute by challenging his staff with aggressive goals, which they often achieve. But he also has a healthy appetite for failure, which includes rewarding risk takers even if goals are not met.
– Fulfilling the brand promise at every customer interaction. Whether the brand promise is reliability, security, resilience, agility, or innovation, get the whole IT organization behind it and exhibit behaviors that reflect and reinforce it.
3. Develop and articulate a clear technology vision. Unless CIOs understand business expectations and develop a narrative that clearly articulates the role of technology in meeting those expectations, misalignment with business stakeholders will persist. As part of that process:
– Abandon technology strategy. A lack of alignment between CIO priorities and business stakeholder priorities signifies a disconnect between technology and business approaches. To sidestep this dilemma, look to business strategy for direction and clearly identify the role of technology in achieving business goals.
– Be a master storyteller. Bringing technology vision to life requires CIOs to essentially campaign, using master storytelling techniques to influence a diverse audience from IT staff to business stakeholders. If storytelling does not come naturally, enlist the help of communications experts. One CIO recruited two of his firm’s corporate communications employees to work with him full-time on crafting the IT narrative.
The good news is social intelligence skills can be learned with personal reflection and effort, and a strong, well-balanced leadership team can augment the personal skills of any leader.
—by Ken Porrello, principal, and Khalid Kark, research director, Deloitte Consulting LLP
There is no doubt that CDOs add significant value to a business, but in order for CDOs to be successful and gain appropriate support from the business, it is crucial to have a proactive plan for internal obstacles, map out clear objectives, and be highly adaptable and creative.
by Mario Faria
Does your organization have, or is it considering adding, the role of chief data officer (CDO)?
If so, you’re in good company. The power of data in driving business success today points to a compelling need for a centralized CDO office. Gartner predicts that by 2018, 30% of all organizations will have an appointed CDO. By 2019, 90% of large organizations will have hired a CDO.
The big problem is that in practice, there is little agreement on the degree of authority needed to fulfill the responsibilities expected in this nascent role — or the resources that will be available.
Consider this scenario: A new CDO in her first 90 days on the job is tasked with creating an enterprisewide information governance board. She identifies delegates and invites them for an inaugural meeting, but only half of the members of this new board respond that they will attend.
The CDO in this situation was given responsibilities. But without being invested with formal authority, she can’t help the organization get the maximum value from its data assets.
There are three strategies that CDOs should employ to avoid organizational pitfalls:
The economy. Marketplace dynamics. Government regulations. These are all external roadblocks that CDOs encounter every day.
In addition to the lack of authority demonstrated in the above example, CDOs frequently face myriad internal roadblocks. Some of the roadblocks that participants in Gartner’s annual Chief Data Officer Survey (conducted between May and July 2015) said they encounter on the job include:
CDOs need a proactive plan to address these organizational obstacles. The plan starts with recognizing that a hefty component of the CDO role is acting as a change agent.
To begin CDOs must identify the major roadblocks and prioritize them according to business impacts. Next, determine the root causes of these roadblocks and map who are the blockers behind them. The final, critical step is to establish a plan of action to deal with the top-priority roadblocks by focusing on positive business outcomes.
This shouldn’t be a solo effort. It’s important to have a corresponding map of the company’s key influencers; their support and endorsement of the plan is critical. The team should also be kept apprised of the roadblocks that the CDO office faces, and if possible, the plan should be shared with the blocker.
Lack of resources is one of the big challenges that CDOs identified. For example, some of the job roles needed to accomplish the CDO’s responsibilities may not exist in the organization, or they might be currently staffed in another part of the organization. New CDOs need to develop an accurate picture of staffing needs and priorities. Three broad categories of objectives fall under the CDO’s domain:
Objective: Manage information assets
Example roles: Information Governance Leader, Data Sourcing Manager
Objective: Deliver insights to improve business decision making
Example roles: Chief Analytics Officer, BI& Analytics Leader
Objective: Generate incremental business value
Example roles: Algorithm Program Manager, Information Product Manager
Next step: Map primary objectives to top-level functional roles.
Being adaptive and creative are also key strategic competencies for CDOs. Some functions vital to the success of the CDO office might straddle or reside in other parts of the enterprise. To adapt to this challenge, CDOs can develop virtual organizations, with combinations of direct and indirect reports (such as employees from IT) to augment resources while engaging other parts of the business in enterprise information strategy.
For example, information stewards — senior business users who possess information and analytics acumen — can work with information governance leaders to recommend and enforce user policies.
Keep in mind that the appointment of a CDO typically comes from a high-level decision. In practice, it can trigger an array of problematic reactions within the organization — including confusion, uncertainty, doubt, resentment and resistance. CDOs need to rise to the challenge of changing the status quo if they expect to lead the business in making data a strategic asset.
Established tech giants like Google and Apple are well-worn avenues for potential talent, but shrewd CIOs are now targeting employees at tech companies struggling with rapid expansion. The impact of hiring from these upstarts can reverberate throughout an organization, as they bring experiences and insight that can only be gathered from their unique growth experience.
by Clint Boulton
CIOs working for large companies are forever lamenting the challenge in luring technical talent, as employees gravitate toward high-flying, cash-rich startups based in Silicon Valley. At a time when CEOs are asking CIOs to oversee digital transformations, IT leaders at Walgreens, Whirlpool and other companies say luring more software developers, data scientists and user experience designers is difficult.
Thirty-eight percent of IT leaders who plan to recruit talent in the next sixth months said that it is “very challenging” to find excellent IT talent, according to the CIO Executive Council’s 2016 IT Talent Assessment Survey. But CIOs have a shot at hiring help thanks to a potential shakeout looming for so-called unicorns, those generously funded private companies worth at least $1 billion.
“When the taps start to get turned off — which they did in Q4 — the startups have to tighten their belts, which means they have to lay off staff,” says Forrester Research analyst Ted Schadler, who examined valuations of more than 150 tech unicorns in a recent report, titled “What Comes After the Unicorn Carnage?” He says valuation challenges for unicorns, in particular, will create opportunities for CIOs who have typically lost out on technical talent to nascent companies that begin shedding workers to cut expenses.
How deep the current downturn will go is anyone’s guess. Recent funding activity signals dark days ahead. T. Rowe Price Group has marked down 12 unicorns, cutting Hadoop software maker Cloudera by 37 percent, database software provider MongoDB by 23 percent, and file-sharer Dropbox by 16 percent. Funding for U.S. startups fell 25 percent from the fourth quarter to $13.9 billion, marking the largest quarterly decline since the dot-com bust, according to Dow Jones VentureSource.
CIOs such as ADP’s Stuart Sackman aren’t shy about exploiting the potential tech-geek grab. “To the extent that there are more people available because there are less opportunities to go win the lottery working for a unicorn …. I do think that helps us,” Sackman tells CIO.com. He also says a little belt tightening is generally good for ADP, which competes with a few thousand startups in the market for human resources software.
Sackman says ADP has countered the challenge of attracting talent by opening an innovation lab in New York City, where the company is building analytics and machine learning capabilities into its software for PCs and mobile devices. He says the company has the resources and scale “to go big fast with new ideas and innovations.” “People want to work on things they know are going to have a big impact,” Sackman says.
Saad Ayub, consultant and former CIO at Scholastic and The Hartford.Saad Ayub, consultant and former CIO at Scholastic and The Hartford.
Shawn Wiora, CIO of Creative Solutions in Healthcare, is already prepared to take advantage of the purge thanks to modern networking. He connects with engineers and product managers from many of the startups and incumbent vendors he works with via LinkedIn, and instructs new staff to add 100 new connections on the social network. “We have to stay in touch with every vendor we’re working with,” Wiora says. “Sometimes we solicit them for employment opportunities,” or to ask them questions about their technology.
CIOs who don’t capitalize on the looming talent purge risk losing out to more nimble companies hustling to accelerate their digital transformations. “Companies either digitally transform to serve customers where they live — or watch as customers find companies that can,” Schadler says. “CIOs should seize this small window of opportunity to hire or acquire talent for digital transformation to serve customers in the digital channels of their choice.”
Schadler also says CIOs must align their hiring strategy based on what talent they need with what will become available on the market. “Instead of a generic ‘hire talent,’ it’s ‘what talent do you need to acquire and where does that talent reside today and does that line up against markets that are already fading or will fade in the next couple of years?'” Schadler says.
As recruiters feast like piranhas on employees cut loose from struggling startups, CIOs who have built track records as “digital disruptors” will land the best talent, says Saad Ayub, who consults CIOs after serving in CIO roles at as Scholastic and The Hartford. “If as a CIO I am doing this then when the bubble bursts it will be easier to pick up talent,” Ayub tells CIO.com.
Will CIOs be future CEOs? Given the growth in digital innovation, CIOs that are progressive and visionary will have the opportunity to be the next generation of CEOs
by Clint Boulton
CIOs who work closely with CEOs to direct digital strategies will eventually find themselves in the CEO’s seat themselves, according to Salesforce.com CEO Marc Benioff.
It might seem ironic for the leader of the company that blazed the trail for shadow IT to acknowledge that the CIO’s role has ratcheted up several notches in importance. Yet in a sign of how, in the words of Marc Andreessen, “software is eating the world” and perhaps irrevocably altering the business landscape, Salesforce.com CEO Marc Benioff says that the CEO is working closely with the CIO to architect digital transformations. Eventually, some of those CIOs will become CEOs, he said.
“We’re in a new world where the CIO is redefining their role and the partnership that they have with the CEO today is, I think, never happened before in our industry,” Benioff said, speaking to about 100 CIOs at the Forbes CIO Summit in Half Moon Bay, Calif.
What is driving this change? Benioff says that every company is afraid of being “Uberized out of the world,” a reference to how the ride-sharing startup has disrupted the transportation industry, one of the latest examples of the innovator’s dilemma, in which established businesses fall behind after failing to innovate. As a result, CEOs are formulating their digital strategies, and enlisting their CIOs is their core partner for enablement and capability. The CIO has become the Robin to the CEO’s Batman.
Digital transformations are accelerating, according to research from Forbes Insights. Thirty-one percent of 305 CIOs, CEOs and other senior executives the researcher surveyed said that digital transformation, defined as shifts to cloud, mobile, analytics and social capabilities, will expand significantly within the next 24 months. Another 58 percent expecting to expand their digital activities at a more moderate pace. In five years, 42 percent predict their jobs will be mostly digital.
Benioff said that CIOs have evolved beyond managing financials, general ledger, and email to hashing out digital agendas with their CEOs. “When I look at what the CIO does today… it’s very different than where it was a decade ago,” Benioff said. “I don’t think that you can separate the CEO and CIO relationship any longer.”
CIOs who are able to guide successful digital transformations will eventually become CEOs, Benioff said. “The CIOs are going to become the CEOs because to become the CEO, you’re going to need this [digital] capability … More and more you’ll see the CIO becoming the chief executive officer because the board … is getting a lot of exposure to the CIO and then the board says that CIO has got that vision, has that idea and knows the digital transformations that we have to make to get back to growth. And the growth is going to come from the delivery of these next generation services. That’s the CEO’s job.”
Benioff’s opining on the evolving role of the CIO was a response to a CIO’s question about how CIOs should deal with shadow IT. More than a decade ago, Salesforce.com annoyed CIOs by selling its cloud-based CRM software directly to sales and marketing departments that paid by swiping their corporate credit cards. On Monday, Benioff acknowledged that shadow IT has empowered CMOs and other business line leaders to be “mini-CIO” serving their employees as customers.
Although Benioff was bullish on the power of digital transformations as well as their power to shake up the C-suite, Forbes Insights suggests that the reality is more nuanced. While some CIOs are guiding their organizations’ digital transformations, others remained more confined to more traditional roles managing and deploying of technology. Others fall somewhere in between.
Thirteen percent of respondents said their CIOs are “transformers” serving as full partners to the business in digital transformations. Another 43 percent are “advocates,” meaning that while their organizations haven’t fully embraced digital, they are piloting or exploring digital projects. However, 37 percent of executives are “servicers: who develop digital capabilities in response to requests or guidance from other business units. Lastly, 7 percent identified as “plumbers,” engaged in running the traditional tasks of IT, such as provisioning servers.
The digital disruption, including the evolution to cloud, data analytics, social and mobile capabilities that underpin digital transformations, is such that customers are beginning to resemble cloud vendors, Benioff says. Many Salesforce.com customers provide cloud services to their customers, operate on a deferred revenue model and move faster to product high rates of innovation, Benioff says. That’s leading to larger contracts with cloud providers such as Salesforce.com, which last month announced that it had inked two nine-figure contracts.
“Today, you are witnessing a movement where every company is becoming a cloud company that I work with,” Benioff says. “Companies want to make [cloud] our standard for our enterprise… and that is also really the maturation of the cloud.”
The role of the CIO is changing dramatically as companies adopt disruptive technologies to fend off new and different competitors. CIOs with the ability to drive innovation and truly partner in the performance of companies will have a bright future.
by Clint Boulton
CIOs who can transform their businesses and accelerate fiscal growth will help their companies fend off technology disruption and industry convergence.
“Success breeds complacency. Complacency breeds failure. Only the paranoid survive.”
Former Intel CEO Andy Grove memorialized those mantras 20 years ago, but they ring true today. It takes a special breed of CIO to drive change in a world where technology is enabling enterprising startups to disrupt industry incumbents, which in turn cross over to other industries, says Michael Fitzgerald, CIO advisory leader and partner of IBM Global Business Services.
In IBM’s Redefining Connections study, Fitzgerald reported that 63 percent of 1,805 CIOs surveyed worldwide ranked industry convergence as the biggest business trend on the horizon, with 50 percent bracing themselves for an influx of rivals from other industries. Some 77 percent attribute technology –as the chief facilitator of the phenomenon.
“CIOs everywhere realize the barriers between formerly distinct industries are collapsing, as companies in one sector apply their expertise to others – producing new hybrids and erasing traditional industry classifications in the process,” Fitzgerald wrote.
Threats from tech companies such as Uber and Google are forcing auto-manufacturers into ride-sharing and autonomous driving. Imagine if one day Ford or General Motors turn the tables and pose a major threat to their tech rivals. For a modern-day example of industry crossover, consider General Electric, which is using software and sensors to capitalized on the emerging Internet of Things phenomenon. The industrial giant’s Predix analytics software, which anticipates when turbines and other engines will fail, could become a huge software business to rival leading software vendors.
Salesforce.com CEO Marc Benioff recently opined that companies fear being “Uberized out of the world.” It’s a legitimate fear among CIOs.
That is why it takes a torchbearer – a CIO both innovative and capable of driving revenue growth — to manage IT in a world where every company is essentially becoming a technology company. Fitzgerald says torchbearer CIOs demonstrate their ability to be innovative while showing a “superb financial track record” and the ability to grow the business. Torchbearers are transformational CIOs, with a predilection for peering around the corner, anticipating business threats and boosting profits.
Fitzgerald enumerated some of the hallmarks of a torchbearer:
Go agile and innovate in digital: Torchbearers create agile operating cultures, digitizing the front office and strengthening the IT department’s skills. They split big projects into smaller, more manageable chunks, delegate tasks to different teams and give them the freedom to get on with the job. They may regularly rotate their staff to give them experience as project managers and business analysts, easing bureaucracy within the organization. Above all, they aren’t afraid to experiment, to fail fast and iterate to innovation. “The only way to stay ahead of disruptive change is to embrace it, which means being able to develop and release new products and services within weeks or even days,” Fitzgerald explains.
Partner with marketing: Recognizing that few businesses can provide the full array of products and services customers want, torchbearers partner with marketing and other digital constituents to tailor digital products, such as mobile applications for customers. Collectively, they can innovate more rapidly and extend both their reach and range, without assuming the entire burden of risk themselves.
Knowing the customer cold: Many CIOs rely on thought leaders and market research firms to divine customer needs, but torchbearers go the extra mile. Nearly half turn to external customers for pointers on what’s coming down the pike. Torchbearer CIOs are also more likely to reassess the customer segments their organizations target. “The torchbearing CIO is out there getting that data for the business and is bringing it to the business,” Fitzgerald says. This positions the business to stay ahead of the emerging competition and disruption.
Fitzgerald identified only4 percent of CIOs as belonging to the select torchbearer category, compared to the 35 percent of CIOs he identified as market followers, whose companies post weaker financial results and are slower to innovation. That number will have to ratchet up significantly if businesses are to thrive or at least survive.
Indeed, even 800-pound gorillas can be disrupted, as Frito-Lay CIO Kristen Blum told CIO.com:
“How do we make sure that somebody doesn’t come along and make us obsolete? There’s disruption going on every day. Don’t ever sit back and think, ‘I’m just going to perform business like I’ve always performed business, because we’re the 800-pound gorilla and no one can touch us.’ Au contraire. That’s not the case. No matter who you are and what industry [you’re in], if you aren’t thinking about how you disrupt, stay disrupted, and put the consumer above all else, you will be obsolete, I guarantee that,” Blum says.
It falls to Blum and her peers at other Fortune 500 and larger companies to ensure that this doesn’t happen.
The tendency for CIOs to be seen as simple technicians, rather than business partners, can often undervalue the significance of the role. It’s crucial for CIOs to become ‘strategic enablers’ for their organizations, delegating the more technical aspects to their direct reports, and freeing them to strategically collaborate with other executive officers.
by Paul Rubens
In a world of ‘shadow IT’ services, CIOs need to adapt if want to avoid being relegated to little more than technicians.
It’s a brutally frank question. But in a world where business units can sign up for “shadow IT” services in minutes to get anything from CRM to analytics to data storage to email, do organizations really need a C-level technology expert anymore?
The good news for CIOs is that the answer is probably “yes.” The bad news is that they are going to have to change and adapt if they want to have any chance of staying relevant.
That’s certainly the view of Jim Cole, a senior vice president at Hitachi Consulting. “The role of the CIO remains relevant to the extent they are strategists first, technologists second,” he warns.
Instead of being the chief architect of IT systems, CIOs must concentrate on being “strategic enablers” for their businesses by allowing them to “enter and exit markets with the utmost in flexibility and agility regardless of where the IT services are provided,” he adds.
CIOs who fail to do that risk finding their roles relegated to ones which answer to another C-level executive, while someone else – perhaps a Chief Digital Officer – steps in to handle the more business-critical strategic initiatives.
One key characteristic that CIOs need to develop is the willingness to allow business units to choose and use any (or almost any) applications that they feel they need to get their jobs done, Cole says. This includes the type of software as a service (SaaS) offerings that previously were acquired without the knowledge or permission of the IT department,
“Today’s CIOs remain relevant by engaging directly in the consumption of shadow IT within their businesses,” he says. To do this CIOs need to make sure they understand why particular shadow IT services are in demand, and what can be done to make sure that they can be used as effectively as possible.
“The alternative is to develop draconian, isolationist policies which are often cloaked in the guise of “security” and “data protection” but in reality are often attempts to falsely preserve command and control,” he adds.
The problem for career-minded CIOs is that traditionally the role has been one of Plan-Build-Run, and the capability to execute successful projects of this kind has been the hallmark of a successful CIO, says Abner Germanow, a senior director at New Relic, a Calif.-based analytics company.
Executing Plan-Procure-Manage projects – subscribing to SaaS offerings, in other words – has not typically been something for CIOs to show off about or to use as justification for an enhanced compensation package. “Not many CIOs have made their careers by subscribing to services,” he points out.
But Germanow agrees with Hitachi Consulting’s Jim Cole that a willingness to embrace SaaS is essential if a CIO is to remain relevant. “The reason that many companies subscribed to Salesforce was that their IT departments couldn’t make a CRM system. There’s been a long history of going around the CIO, but smart ones shouldn’t fight it, they should embrace it.”
An obvious question to ask then is whether the modern CIO’s role really comes down to one of keeping an eye on SaaS services that business units subscribe to, and ensuring that they are used in a secure fashion – perhaps, ironically, by subscribing to a Cloud Access Security Broker (CASB) service?
Germanow believes there is some truth in that, but also that there’s a need to move from control-based to trust-based security. “The trend in security is a shift from ‘I control and secure everything myself’ to ‘When I use Azure I now use modern technologies and a shared responsibility model with cloud providers,’” he says. “The focus is on business risk, not technology risk.”
Cole says there is more to it than that. To stay relevant a CIO has to orchestrate a complex blend of “best of” applications, technologies, and platforms – as well as providing “reasonable guardrails” when it comes to security, risk, and consistency, he says.
That means working with business units or individuals who want to subscribe to SaaS and building it into an overall IT plan. “The successful CIO engages, embraces, seeks to understand, partners to develop roadmaps, brings a mix of facilitating policies and enabling support services,” Cole explains.
“By engaging they help to establish a culture of accountability, approvals, audits, and awareness so the company leaders never wake up in the morning wondering where their data is and is it secure,” he adds.
Some CIOs may baulk at the idea of handing over much of the responsibility for running applications and securing data to cloud providers and effectively allowing business units to decide what’s best for their needs, but CIOs that can’t adapt to the changing face of enterprise computing are doomed to sink into irrelevance, he warns.
“For those CIOs who remain in the traditional “command and control” operating models, their relevance as a business partner will shrink as they continue to try to enforce isolationist policies that, like in geopolitics, never seem to end well,” Cole says.
It’s well documented that the CFO/CIO relationship can be challenging for some. As technology continues to play a major role in strategic decisions made to create value, drive growth and maintain a competitive advantage, it’s more important than ever for the CFO and CIO to forge a strong partnership.
Information security experts with a knowledge of the threat landscape are crucial to every business today. Not only can they provide a deep perspective on risk, but they can enable a business to function optimally while mitigating that risk.
by Sharon Florentine
When it comes to security, you’re better off employing a specialist. However, according to recent research, less than half of companies employ a CSO/CISO.
Your CIO has enough on her/his plate without taking on responsibility for security, too. While there’s plenty a CIO (or a CTO) can tackle when it comes to security, these roles are “generalists.” What you really need is a chief security officer or a chief information security officer (CSO/CISO) — a security specialist.
The Cyber Security Job Trends survey from free online security MOOC provider Cybrary, which polled 435 senior-level technology professionals from October to December 2015, found that only about half or 49 percent of respondents say their companies employ a CSO/CISO who’s solely responsible for security.
“Even though we found that cybersecurity professionals, at all levels, are fully aware, and experiencing first-hand that the available talent is not keeping pace with demand needs, I was surprised by the alarmingly low number of companies that employ a CSO/CISO who is responsible for security,” says Trevor Halstead, product specialist, talent services, Cybrary.
But if you already have a CIO and a CTO, why do you need a separate C-suite role for security? It’s about prioritizing both the business and the security of information, infrastructure, sensitive data and your public reputation, and minimizing the risks to all of these before a breach occurs.
A dedicated CSO/CISO will not only have depth and breadth of knowledge about the threat landscape, protective approaches, tools and techniques to protect infrastructure and information, but a unique perspective on how to analyze and mitigate risk, says Salo Fajer, CTO of data loss prevention and managed security service provider Digital Guardian.
“What a CSO/CISO can bring to the table is much more than just a specialty in technology, an acute awareness of the possibility of attacks and knowledge of the threat landscape. It’s about having a broad and deep perspective on risk, and how to enable the business while minimizing that risk,” says Fajer.
A CSO/CISO’s major role in an organization is first to enable the business to function optimally, but within safe parameters to minimize the risk of threats, attacks and business disruption, says Fajer. Being able to identify and assess threats, and then translate the risks into language to help other members of the C-suite to understand what’s at stake is critical, he says.
“You not only need to be able to view business operations from a risk versus functionality perspective, you have to be able to discuss these in the language that a CEO, a CIO and other C-suite peers can understand and can appreciate,” Fajer says. A background both in the technical aspects of security and broader business knowledge and experience are important here, he says.
Digital Guardian’s research, culled from publicly available information on the Fortune 100 (F100) companies that employ a CISO shows that most in this role effectively combine both.
Though most F100 companies’ CISO’s, 59 percent, came up through the IT and IT security ranks, 40 percent hold a degree in business; 85 percent hold a bachelor’s degree, according to the Digital guardian research.
“There’s no specific path for becoming a CSO/CISO; there is a propensity for coming from IT and IT security, and there’s definitely an emphasis on integrating that with the needs of the business. You need to have someone with the security background, the experience and certifications that are enriched by business knowledge,” says Fajer.
While IT certifications in general aren’t the major differentiator they once were, Fajer says in the IT security space in particular, they’re still incredibly relevant. Digital Guardian’s research shows that on average, F100 security leaders hold 2.86 certifications, with the CISSP certification held by 53 percent of those CISOs.
“Security certifications are still very much experience-oriented, with a lot of hands-on learning and real-world components to the credentialing exams. Because of the diverse mix of educational background, security pros rely on these certifications to show they have the necessary skills and experience,” he says.
In the overall hierarchy of the C-suite, there are benefits to having an independent, separate role for a CSO/CISO, says Fajer.
“Some organizations have the CSO or CISO reporting to the CIO or CTO; some have the role separate and reporting to the CEO, much like the CIO and/or the CTO does. It depends on the individual businesses, but there’s something to be said for a stand-alone role who’s more independent; that way, the CSO/CISO can act almost like an auditor for other C-suite executives, and bring objectivity into discussions about budgets, resource allocation and business decisions,” he says.
Where your CSO/CISO came from is less important that what they can provide to your business; it’s really the difference between having a generalist with limited knowledge of a broad set of potential issues and having a specialist who can weave security best practices into your existing IT operation without disrupting the business, says Cybrary’s Halstead.
“Companies and C-level executives need to realize the absolute necessity of having a CSO/CISO responsible for security, and at the table when making security decisions. We have reached a tipping point where security should not be an afterthought; it should be incorporated into the everyday business decisions a company is making,” he says.