In this week's episode Dr. Crane speaks to Joe Robinson about why he thinks CISOs should report to the CIO, and design considerations for organizational structure. The discussion covers topics such as who is responsible for vulnerability management and building trust as a CISO.
Joe is the founder and CEO of High Peaks Solutions, a cybersecurity venture focused on helping clients develop real insights and enhance their security programs to prepare for the ever-growing number of cybersecurity threats.
He also previously was the executive vice president and director of information, technology, and operations for Fifth Third Bank where he led the information technology, cybersecurity, data management, and bank operations divisions.
In this episode:
00:00 — Welcome
02:12 — Should The CISO Be Under The CIO
03:30 — The First And Second Line
04:38 — The Role Of CISO In The First And Second Lines
06:05 — Organization Of Security Leaders Along Lines
07:38 — What Works And What Doesn't When Organizing Along First And Second Lines
09:26 — Ownership Of Responsibilities And Resources
11:08 — Communication And Relationships Between CISOs and Technology Teams
13:30 — Reporting To A Board Of Directors
15:39 — Building A Program For Reporting To The Board
16:36 — What Works In Building Trust As A CISO
18:36 — Common Mistakes In Building Trust And Relationships
19:27 — Getting From "No" To "Yes And Here's How"
21:37 — Sign Off
Joe Robinson:
High Peaks Solutions — https://highpeakssolutions.com/
Thanks To Our Sponsors:
Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate
CISOWise vCISO — https://www.cisowise.com/
Follow CISOWise on all podcast apps.
Website — https://www.cisowise.com/podcast
Show Notes & Transcript — https://www.cisowise.com/podcast/003-the-view-from-the-cio-with-joe-robinson
[00:01:52] Earl Crane: Joe, welcome to the program.
[00:01:54] Joe Robinson: Thanks Earl, appreciate you having me on.
[00:01:57] Earl Crane: So I want to start with a question that a lot of CISOs seem to ask and struggle with, especially dealing with the CIOs. Should the CISO be under the CIO from a reporting relationship?
[00:02:12] Joe Robinson: In my opinion, there's a context that has to be set here. What is the CIO's role within the organization? What's the current maturity level of, not only the security team, but also the overall maturity of the company as it pertains to how it operates, how it deals with risk management and so forth?
[00:02:32] Joe Robinson: So there are some factors here that I think come into play. What I would suggest though is I look at CISOs reporting to CIOs as a positive thing. There are quite a bit of activities that go on within a security organization where the technology groups need to participate, be part of, or own, to make it really effective.
[00:02:52] Joe Robinson: I also look at it in the context of first-line and second line. And so when you look at the activity that goes on in a security organization, quite a bit of it happens in more of a first-line type of There are some oversight responsibilities, and there's a reason to think through how you want the risk management oversight to occur, also have to deal with those operational elements.
[00:03:15] Earl Crane: You mentioned the first and the second line, which I think is a great starting point. And for those who aren't familiar with the first and second line, maybe you could describe that a little bit more and the relationship and the tension that they have built in.
[00:03:30] Joe Robinson: The way I look at the first line, these are the operating folks that are actually doing transactions or getting the work done. And they're responsible to have the appropriate controls in place to manage the risk around their work.
[00:03:44] The second line is typically a risk organization that is providing oversight to the designs of those controls, making sure those controls are robust and that they're being managed on a regular basis to ensure that the control environments are yielding the type of effectiveness necessary to reduce the risk, whatever topic you're talking about whether it's operational or data security risk.
[00:04:06] Joe Robinson: And then I would throw in, just for completeness, the concept of the third line which tends to be your audit function. These are the teams that will come in and oversee basically all of the process to make sure that, if there are any notable gaps, that those are highlighted and brought to the attention of management.
[00:04:23] Earl Crane: So the first and second line are naturally in tension and, in the same way, the CIO and the CISO from a security and technology operation standpoint also sometimes find themselves in tension. As a CIO, have you seen the role of a CISO changing operating in the second line versus the first line?
[00:04:45] Joe Robinson: I have. I've seen it attempted. I've seen different models that have brought different levels of success. Part of the challenge you run into is it is a hybrid role for the CISO, in most situations where they have operational responsibility, and they have that risk oversight responsibility.
[00:05:05] Joe Robinson: I've seen models where the risk oversight has been extracted out, and you have more of a first-line CISO who's focused on day-to-day operations and a second line IT risk, security risk type person, responsible for some of that oversight.
[00:05:23] Joe Robinson: That's an interesting model that I have tried in the past. You have to ensure that you have the right talent focus and the right alignment. to make that work. But that seems a little bit more natural to me than moving the entire organization into risk or out underneath any of the executive leadership and have the particular CISO reporting to the CEO.
[00:05:44] Joe Robinson: There's different perspectives on industry and all that should be considered, but in general, that's the way I would see it.
[00:05:50]
[00:05:50] Earl Crane: Do you think of the CIO as a first-line or a second-line function?
[00:05:55] Joe Robinson: I see the CIO predominantly as a first-line function.
[00:05:59] If a CISO is focused on the second line they might not be under the CIO for example, because they'd be operating at that second line.
[00:06:07] Joe Robinson: Yes. And that would be another design consideration. Would you pull and have a chief information security officer predominantly focused on second line activity? Or would you align the first line activity with a security leader and have the second line responsibility be very clear for the IT risk or the CISO or whatever you want to name that particular organizational structure.
[00:06:33] Joe Robinson: But I do believe that the operational aspects are very important in today's security organizations, and we want to make sure that we do those well and do those effectively and completely. Because the activity that they perform is the activity that protects the institution, protects the data of the institution. We have to get that right.
[00:06:53] Joe Robinson: The second line of defense has to make sure they're clear on their objectives. And that's where the tension becomes very noticeable, because you have that intersection that needs to be well-defined.
[00:07:05] Joe Robinson: And frankly, it also takes leaders to deal in the gray areas. You need people that can push through and define it or take on accountability and responsibility so that the collective security of the institution is being appropriately managed, and the appropriate oversight is being provided.
[00:07:23] Earl Crane: So, do you have any examples that you can share of what has worked, or maybe what hasn't worked when dealing with the first and second line relationship with the security function?
[00:07:35] Joe Robinson: It is a very challenging space, and I've seen different levels of success.
[00:07:41] Joe Robinson: The situation is such that you really have to understand the talent that you have and align it appropriately. In an organization that has a strong operating CISO, having the appropriate IT risk person or group in the second line becomes very, very important. You need to ensure that those responsibilities are clear.
[00:08:02] The biggest challenge I've seen is when you have two leaders who both feel like they're responsible for security. There's a lot of tension and headbutting. And I've seen that headbutting happen very often. And it's one of those things where you have to continue to go back to what is a first-line function, what is a second-line function? Otherwise, there's a tremendous amount of confusion with the role in the assignments.
[00:08:26] Part of what we need to do is start with defining the elements and the responsibilities of that role before we make organizational shifts and changes, because it's an area by which there's a lot of confusion and, can cause a lot of strain in the organization. But where it's been successful is where those lines have been drawn and made very clear.
[00:08:49] So to summarize that, and I could see it from your perspective as a CIO, fairly well-defined in the first line. Whereas the second line for the CISO function, it's less clearly defined if it's a first line CISO or a second line CISO and success is clearly having that defined So there's no ambiguity.
[00:09:11] Earl Crane: What I had in mind was the conflict of, for vulnerability management, vulnerability, scanning, are those resources owned by the CISO or are they owned by the CIO and done on behalf of the CISO? Is that part of the conflict, or what's some of the conflict that you're getting into?
[00:09:30] Joe Robinson: Let's play that as an example. My opinion would be that the vulnerability management, and the interpretation of that information is the responsibility of the CISO. They're responsible to identify vulnerabilities in the environment, translate those into priorities for the institution, but do that in concert with the technology organization.
[00:09:52] Joe Robinson: There has been times in my career that that has been a very difficult situation because now you're starting to dictate work into the technology group, where if you're rating vulnerabilities as high or severe, and they have certain cycle times to turn around and patch then therefore, that requirement then goes sits on the CIO's desk or the technology leaders desk to execute on that.
[00:10:17] Joe Robinson: And so whenever you're, introducing work into an organization, there needs to be rules of the road. There also needs to be somebody to broker that. And so there's been times when I've had very heated conversations with leaders within the organization about how to deal with those priorities. And I think that's the type of support that a CISO is looking for as it pertains to if they do report to a CIO, that CIO has to champion their cause as well, not just the other causes that naturally come into a CIO's responsibility.
[00:10:53] Earl Crane: How much of that is driven by the relationship between the CIO, the CISO, the technology leadership team, and how could that be improved?
[00:11:03] Earl Crane: I'll give you an example. As I was talking with a CISO a couple of weeks ago that expressed frustration that they had a vulnerability that had been identified in a software product that they had that was live. They submitted that vulnerability information to the application development team to go in and patch it, and the app team treated it as a feature request, and they just put it in queue with the feature requests, and it sat over the weekend until they got to their scrum team the next week. And it had not been communicated the urgency of this feature, which was really bug and a vulnerability that needed to be put in place.
[00:11:43] Earl Crane: How do you deal with situations like that? How do you improve that reporting relationship?
[00:11:48] Joe Robinson: There's a couple of components that are important. One is, all of this should be governed by some process and approach that the CIO, the technology leaders, the CISO all agree that this is the way we want to manage identifying, categorizing, and ultimately prioritizing vulnerabilities.
[00:12:05] Joe Robinson: And when you do that, what also is important is to have accountability around turnarounds, service levels associated with certain types of vulnerabilities. If that is your baseline going in, then at least you have a structure to work from.
[00:12:18] Joe Robinson: And then you can, over time, build the personal relationships, the credibility, and the confidence in the process and the people to ensure that if the CISO's team is identifying something that critical, that the response is a very quick response with a tremendous sense of urgency, because the trust in the process has been established. The relationships are deep and strong and therefore the action gets taken.
[00:12:45] Joe Robinson: I would say a lot of what you're describing goes back to lack of either process and expectation setting or that relationship building, where the technology leaders should see the CISO and his team or her team actively working on giving them only true priorities. So that that confidence continues to get built over time because the technology team sees the participation of the security team to do that for them and with them.
[00:13:15] Earl Crane: The CISOs frequently need to report they're security risk function to business leadership. What advice would you give to a CISO needing to report to their board of directors?
[00:13:28] Joe Robinson: Sure. I think there's a couple things that are really important. Number one, the board is made up with very diverse people with diverse backgrounds and to assume that everyone on a board of directors is going to understand all the ins and outs of security is a bad assumption. So simplify your communications to the point where you want to be able to talk about things in the context of activities or experiences that you know board members would have.
[00:13:56] Joe Robinson: So for example, we talked about vulnerability management and patching. I wouldn't use those terms at all with the board other than explaining to them that that occurs. Then I would try to explain to them what it is by bringing it down to a very simplistic level. Spend a little time explaining how most of the board members have an iPhone. They all have some sort of smartphone, right? So once in a while, you'll get a notification to update your phone. And once in a while those notifications would say these are important security updates.
[00:14:28] Joe Robinson: Well, we do that in our environment in whatever entity you're in. We do that with all of our infrastructure, everything that we do to run the company, we have a similar process where we are updating software and hardware and other things to ensure that they are secure.
[00:14:45] Joe Robinson: Well, the story that you use is around the smartphone and the updates to get them connected to what the heck are you talking about when you say patching. So you start with those type of stories to get them connected to it. They're very sharp people they'll understand it. So simplicity is number one. Storytelling is number two. And then the last thing I would comment on is have a repeatable process to your presentations and to your discussions. Have an approach that highlights certain elements of your program. Have that presentation chart be the same presentation chart with updates on a regular basis. Talk about the same metrics on a regular basis.
[00:15:24] Joe Robinson: If they see the same set of metrics, and they're able to see trending and progress or negative progress, there's a level of confidence that comes with seeing something familiar and seeing it over time.
[00:15:35] And then it gives you flexibility, once you've established that repeatable part of the presentation, to dive into the key points. What are the key messages that you need the board to understand that occurred over the last 90 days, or that are developing in front of us as far as new vulnerabilities or new challenges that we see.
[00:15:55] Joe Robinson: They are not worried about trying to figure out what you put on paper. They've seen it. They understand the updates, if you will. But you turn their attention to the strategy. You turn their attention to new emerging risks. Things that are critical for the board to understand as a board, and you get the repeatable, the more tactical elements out of the way so that you can spend more of your time on the strategic elements.
[00:16:21] Earl Crane: So let's pull that thread for a little bit. You're a new CISO in a role, and you're needing to establish trust and rapport with your CIO as quickly as possible. What are some trust-building activities that you've seen, particularly as a CIO that makes you trust your CISO or a new CISO in that environment more, or what are some things you've seen that hurt that effort especially as a new CISO? Translating vulnerabilities or findings with an eye toward identifying the true priority within the environment by which that security team works and really helping put a sharper point on what is truly a big issue.
[00:17:05] Joe Robinson: Number one, Number two, I would, say recognizing most companies are in the business of risk taking. We're not operating in zero risk.
[00:17:14] Joe Robinson: And so as a CISO is engaging the CIO or business teams in the context of an initiative or a new system or whatever it happens to be, being that person that has the ability to identify risks, and provide options and impacts around different strategies. Not necessarily to accept that risk or not accept that risk, but to identify that risk and what can be done to minimize that risk. Or, at least, provide the business leaders or the CIO the context by which they can think of that.
[00:17:48] Joe Robinson: Because you're providing education, information, and options. And that's a, big difference between getting a yes or no, or being educated on the risk and what can be done to mitigate that risk. then it becomes a risk decision, not a security decision. Which I think is an important aspect of helping other leaders see the CISO as an enabler to the business strategy.
[00:18:11] Joe Robinson: Even if some of those options come with some dire warnings, there's still options and there are ideas that can be contemplated in the, decision.
[00:18:21] Earl Crane: What are some common mistakes or misconceptions that CISOs make from a CIO perspective, you want to provide some insight to?
[00:18:31] Joe Robinson: Don't be known as the leader of no. That's not your role is to say no to things. Your role is to educate, provide options and insights to the risk associated with certain business strategies. And the company needs to understand its appetite and what it's willing to do and not do.
[00:18:50] Even if a decision ultimately is no because of the risks associated with it, and maybe that was the obvious answer coming out of the initial review, spend some time and energy defining what those options could be and how to go forward to get to yes, even though yes maybe something that the company doesn't want to pursue.
[00:19:12] Joe Robinson: I've always been a fan to take that perspective of rather than saying no, say yes and here's how, because it's hard to imagine a particular scenario that you can't build some level of compensating controls to do a function within that security profile. It's just, it might be so onerous you don't want to do it. But then it's a matter of balance of how much do you really want to do it? Cause here's how we could do it in a safe way. I had a product leader come to me. And we were talking about their product. It was a small product in the financial services space. And they were arguing to renew a contract we had with this technology provider who provided the service.
[00:19:52] Joe Robinson: The service was ultimately losing money, and it turned into a little bit of contention around renewing this particular provider and providing that product to the marketplace.
[00:20:02] I asked him was he gonna make up his losses with increasing the volume, so we had even more losses. But, the bottom line was the business wanted to offer a feature. We made it clear that based on the nature of the feature and the fraud associated with it, that it wasn't going to make a lot of money if any. And the decision was to continue with it just to have the feature in the set of products that were out there.
[00:20:27] Joe Robinson: So it was a business decision. They understood the risks. They understood the lack of profitability associated with what was going on. So we had our opportunity to share that, and collectively we made the decision to continue.
[00:20:40] Joe Robinson: But it's those kind of conversations you need to have with others in the organization where it's really fact-driven, and it's risk identification and understanding it a little bit more deeply. Cause there may be situations where you want to take some additional risk as long as everyone understands that you're making an informed decision, and you can move on from there.
[00:21:00] Earl Crane: I think that's a great example. There are reasons to continue with a loss-leader. There are reasons to continue to operate with a product that has less security than the profile that you want. And while you might cringe while you do it, that's the value of having risk appetite, because the business has been able to decide they're willing to take that additional risk.
[00:21:22] Earl Crane: I appreciate that. Well Joe, thank you very much for joining me on the podcast. I appreciate you sharing all of your experience and wisdom with our listeners here on CISOWise.
[00:21:31] Joe Robinson: Thank you. Appreciate it Earl.