Why can’t CIOs and CSOs just get along?

IT chiefs and security officers don't always view the corporate world similarly from their C-level positions.

IT chiefs and security officers might seem likely to view the corporate world similarly from their c-level positions, but that's often not the case. To explain why, the CIO of one company and the CSO of another took the stage at The Security Standard conference in Chicago and aired some universal gripes that these executives typically have about each other.

If CIOs would be more forthcoming with their technology plans and consult CSOs in advance, security professionals wouldn't be put in the position of always having to retrofit security, said Andy Ellis, senior director of information security and chief security architect with Akamai.

"Maybe in the long run we could reduce the amount of risk we have," he said.

But Geir Ramleth, senior vice president and CIO at Bechtel, has a different impression of what happens when CIOs ask CSOs for advice.

"Security people have this phrase, 'yes, but...'" he said. "They want to agree with you, but only for three letters long and then they go on: 'Yes, but we should really have a policy on this.' OK, fine, go and write one."

The phrase Ramleth dislikes the most? "'Yes, but you have to wait.' That means `I agree with you, but I don't agree with you, and therefore I'm going to mess you up,'" he said.

Ellis also has a pet-peeve phrase: "When you bring a risk forward and [take the time to] explain it, I get `I don't see why that matters.' Maybe I didn't communicate the risk well enough, but it's often used as a defense mechanism. That means 'If it's not clear to me, I don't have to do anything about it.'"

Both executives agreed that part of the conflict stems from the fact that they have different missions. For most CIOs, security is important, but not the top priority.

"Speed, agility, and serving the needs of the business often drives you. It doesn't mean we do all those things and then think about security, but [it's not] top priority," Ramleth said. "At Bechtel, we're a project company, so risk to us is anything that changes the scope, budget, and schedule [of a project]. The CSOs out there change the scope, increase the budget, and [what they do] takes longer than I expected."

Having more information about the business drivers behind technology decisions would help CSOs understand the priorities, Ellis added. "If we understand the business problem and we can get security in there first, maybe we can do it in an agile function," he said.

Ramleth said the vocabulary used in each position also vary greatly; CIOs use words like speed, simple and easy, while CSOs talk about things that are critical and essential.

The relationship between CIO and CSO can be harmonious, but there will always be diverging priorities, the two executives say.

"I really do appreciate [security professionals], but I do have the feeling that I'm talking to my life-insurance guy who tells me why I should pay a lot of premiums when I'm alive so someone else will get it when I'm dead," Ramleth said. Network World

Join the newsletter!

Error: Please check your email address.

Tags securityCSO

Show Comments
[]