Welcome Drazen Drazic, our newest guest blogger. Drazen’s posts will be a feature of our Wednesday coverage of the data security world. Drazen is the CEO of Securus Global. He is a strategic consultant, working across several industries on matters to do with Information Security strategy. Drazen is also a blogger. Heis the chief writer on the IT Security Management site, Beast or Buddha, where this post first appeared.
This is something I have talked about before.
Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.
It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.
I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures.”
In his case (unlike many others we see a lot of the time), it’s not that the CIO is being a roadblock intentionally. He’s just maxed out the CIO’s headspace and CIO is struggling to understand what it is that CSO wants to do and why. Fair enough you may say….CSO should be “selling” it better, but at what stage should you cut the “sell” and ask why the CIO as the senior IT person in the organisation just does not get it? You can “sell” it till the cows come home but if someone just doesn’t get it [CIO], when in their role they should, what do you do?
His last resort is a presentation to the CIO (and board) by me. Do I know more than this CSO about his organisation? No, of course not. But external consultants are listened to (for good and bad…it is how it is and we all know that), and maybe having an external party being able to present a broader view of what “others” out there in business are doing, can kick start more gains by the CSO in his organisation. Time will tell but I digress from the topic.
In my view, having spent a good deal of time in this organisation and getting to know the organisation, key stakeholders, their business strategy etc etc, it’s clear to me that CSO has a far stronger knowledge of all of this vs. the CIO.
It’s not because this person [the CSO] is just good at what he does. He is, but a good CSO should know their organisation back to front to be able to be a good CSO and develop a good IT security and risk management program and strategy.
Combined with good business knowledge, you have someone [the CSO] who has that holistic enterprise view – better than most CIOs. What else do they need? Serious question. (See previous links on CIO failures above and ask this question again).