Barry Caplin, Chief Information Security Officer at Fairview Health Systems, shares his insights on the two different worlds that CISOs and CIOs are living on right now and how they can meet in the middle to make better business decisions.
[Argyle Executive Forum] What are the two different worlds that CISOs and CIOs are living on right now?
[Barry Caplin] Of course, the title of the talk was a play on the book title from John Gray. But the allusion works because CISOs and CIOs have often followed different career paths to get to their senior-level positions. While there are plenty of exceptions, many CIOs have a technical project- or product-management, business or financial background. CISOs tend to have followed a “geekier” path, with previous positions as programmers, firewall administrators or security engineers. In addition, IT and Security have different mandates – IT must innovate and operate; Security must inspect, block and protect. For example, in new product/project delivery, the CIO wants to deliver an innovative product on-time and on-budget. The CISO wants to slow things down to assure appropriate controls are built into the design, programmed in and tested. This can create a fundamental divide.
What are examples of the different languages that they both use?
Words matter. An often used security term is “Threat”. CISOs speak of threat management as a fundamental part of the security program. Threats can be from software – viruses and malware; actors – cyber thieves or attackers, or; physical/natural causes – power or weather. The CIO considers project or organizational threats including budget, resources, and outsourcing. One of my favorite misused words is “Risk”. I’d like to declare a new law that we don’t use the word risk without a qualifier such as: project, security, regulatory, etc. Some of the key IT risks include project risk, resource risk and budget risk. In Security, we often use the traditional security risk calculation multiplying the likelihood of an event occurring, with a measurement of the impact to the infrastructure or organization should it occur. One “risk” about which both CISO and CIO often agree is the organizational and career risk of a breach of data.
"The bottom line is that Security and IT need to be service organizations".
How do CISOs and CIOs meet in the middle to make better business decisions?
How does that saying go? – The first step in solving a problem is to recognize that there is a problem. Regardless of reporting structure, the CIO and CISO need to be strategic partners. While their specific mandates might differ, the key here is to align with the overall organization mission and strategies. Most organizations have a mission and mandate to provide quality service to customers. Most boards have a mission and mandate to increase shareholder value and preserve the organization reputation. None of these can happen if IT does not quickly and efficiently deliver quality services, or if products or infrastructure have security vulnerabilities or if there is a data breach.
What are some key opportunities for the two to collaborate?
There are many! Mobile/Social/Cloud/BYOD are different aspects of the radical paradigm shift in IT services – not only in how the services can be delivered but also in the expectations of the end users. This is a fantastic opportunity for the CISO and CIO to anticipate need, drive standards, align with legal/audit, and provide strategic solutions. I know that these services can be delivered with appropriate controls. I also know that any IT organization not embracing these technologies can be sure that the rest of their company has already done so.
Another key opportunity is in the area of Third-party risk management. Along with mobile/cloud, this may be one of our greatest threats for improper data disclosure or other infrastructure breach. Vendor management is a difficult challenge as we must partner to control not only data sharing but also third-party remote access to systems and infrastructure.
My final example is the project/product lifecycle. Key activities include defining design and secure coding practices, system standards and simple security requirements. By partnering with IT and coming to the table early, we can help guide the business to a solution that meets its needs, meets standards and will be both safer and delivered on time.
Is there anything else you would like to add?
Yes.The bottom line is that Security and IT need to be service organizations.
They need to align to meet the needs of the business. This won’t happen if they are pulling in different directions. The CISO and CIO need to actively seek collaboration opportunities. Otherwise, the business will find another way to accomplish its goals
Barry is the first Chief Information Security Officer for Fairview Health Systems. He joined Fairview in 2013 and is responsible for enterprise information security and the security technologies, including the development and implementation of organization-wide security policy, security architecture, and consistent standards and procedures. This is a balancing act, supporting business objectives with the many difficult security challenges and compliance efforts relating to federal and state statutory and regulatory requirements, such as HIPAA and PCI.
Barry has 30 years of experience in information technology, the last 20 of which has been focused on information security. He has worked in information technology and security positions at the State of MN, US Bank, US West/Qwest, Boeing Computer Services and United Technologies. He holds an MS in applied mathematics from Virginia Polytechnic Institute (aka Virginia Tech) and a BS in mathematics and computer science from the State University of New York at Binghamton. He is a certified information systems security professional (CISSP), an information systems security management professional (ISSMP), a certified information systems auditor (CISA), a certified information security manager (CISM) and is active in the Minnesota chapters of InfraGard, the Information Systems Security Association (ISSA), and the Information Systems Audit and Control Association (ISACA).
He has recently retired from 14 years of coaching youth sports, primarily soccer, in Apple Valley and served as director of coaching of both the travel and community soccer programs. He continues his service on the board of directors for the Valley Athletic Association, which oversees the local travel and community sports.
Follow him on Twitter @bcaplin and read his blog http://securityandcoffee.blogspot.com/