Balancing the Tug of War: How CIOs and CISOs Can Partner for Better IT

Scott Howitt

CIO at McAfee

Learning Objectives

The rapid evolution of the digital world has driven great technology innovation as well as spawned growth in cyberthreats. In today’s IT environment both CIOs and CISOs are integral to an organization’s success. The CIO relies upon the CISO for advice, guidance, and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together to empower every business department within the organization with a clear vision.


Information security is no longer an IT support issue, but a strategic business responsibility where both executives must share common goals for security and IT operations to be successful. In this session, McAfee CIO Scott Howitt will explore how CIOs and CISOs can work together to ensure the needs of the organization are securely me.


"If the two are in lockstep together, they can more rapidly innovate safely than before."

Scott Howitt

CIO at McAfee

Transcript

Hi, I’m Scott Howitt. I’m the SVP and CIO of McAfee. Today, I want to go over the struggle that you see sometimes between CIOs and CISOs. And the things that you can do to remedy that.


First, let’s talk a little bit about my background. My career started in IT. I graduated from college with a degree in physics. I was looking for something to do, and ended up working at EDS, which was Ross Prozone Company, and I worked with a series of banks as a developer. Quickly I realized that I wanted to expand that more and work more with the business. I became the CTO of jobs.com, and we were an internet company. I was there for five years, we went ahead and sold that to Monster Board. And then I became a chief information officer at Benefit Mall, which was another online insurance company. So a lot of good experience here.


Then I realized if I wanted to be a CIO at a bigger organization, I really need to shore up my security experience. I went to work for Alliance Data, and was there for five years really learning the security field. And then I went over to JC Penney’s, and I was a first CISO at JC Penney. A lot of fun and learned a lot in the retail side of the business. Then I went to work for MGM Resorts. And I was there for about five years as the CISO. And then also, for the last few months that I was there, it was the CIO as well. And then I had an opportunity to come back to Dallas, and be the CIO of McAfee.


I certainly have seen both sides of the coin and get the challenges of each role in a little bit of where the struggle is. If we talk a little bit about the history of the CIO, so we’re going to send it in Gruber first coined the term in their 1981, Book Information, resource management opportunities and strategies for the ATS. So to hearken back to when the first CIO came about, that was when the first IBM PC was released. So most CIOs at the time, were people who were doing things with mainframes, and mainframes were typically just Application Programming, not a lot of hardcore it going on, beyond, you know, application development and things like that it wasn’t really viewed is the same high level position as a CIO, or I mean, as a CFO, or a CEO. It was more of a hey, the the lead technologists in the room, right. And so there was very little Budget Responsibility that came with it. And to what they found is a role kind of went on is that there was a lot of talk about technology, helping companies deliver more for less, but it wasn’t really materializing in a way that it is today. And so then if we look at the history of the role of the Chief Information Security Officer, the first one that came about was Steve Katz, and he became the CISO at Citi in 1994, after they had suffered a breach. And so, you know, if you talk a little bit about how he rose up, he was a mainframe, you know, RAC fac F two guy in the organization, or it was guys who were doing like access control and some very basic infrastructure security. And so the role was typically then buried within infrastructure, right? It was rarely appear of the CIO, and typically was buried under the VP of infrastructure or the CTO. And so over time, the the role evolved a little bit into more of a compliance function. And not really what we are starting to think of it today is a business enablement function. And so what’s the state of the CIO today? Well, many companies not only have a CIO, but there may also be a digital business officer, a chief innovation officer, a chief data officer, right? In the reason that the role of the CIO may be eroding. It’s because it’s not nimble enough to keep up with the speed of business. It’s not saying all CEOs are suffering this, but a lot of organizations are looking for such rapid innovation in technology, that they feel that they need more than just the CIO helping him out. Right. And there’s always been an expectation or at least in the last few years that the CIO understands the business as well as any of the other C suite officers. So they’re looking at the CIO to be much more than just the technologist. They’re looking to be a person helps them meet their business objectives right? In nowadays, integration is likely to be more important than building applications. How do I take the SAS applications, the cloud infrastructure and all that that I have today, and meld them together in bring great rapidly evolving solutions into


the organization. If we go ahead and take a look at the state of the CISO. In a lot of cases, this role elevated very quickly, and in some cases are not only reporting above the CIO or appear to the CIO, but again, above it. So for example, at the last organization that I was at, as a CISO, I reported into the CEO, and the CIO reported into the CEO. Right. And the reason this is is because cyber is one of the number one concerns of the board. And so this CISO typically meets with the board almost every session, if not for sure, the audit committee, right in what we’re seeing is that the CIO isn’t having quite as many conversations with the board, right? However, we see CISO’s still struggle with verbalizing their business value to the organization. And where before there’s been such an emphasis on compliance at the CISO got kind of a blank checkbook and was spending kind of like a sailor import right now that we’re seeing is they’re starting to shrink that down and say, No, you’ve got to come with business justification, just like everybody else, right. And even more challenging for the CISO is the infrastructure that they’re used to protecting in the tools that they use to protect it are evaporating, is there’s a rapid movement to the cloud in so they’re really finding themselves with a shortage of cloud and application or container savvy security professionals to help them out. And so let’s look at challenges that both of them are having likely we have misaligned expectations. And in the reason I’m using this graphic is, you know, the bottom half is, is the early enterprise. And people were thinking, you know, as technologists, a lot of times we think of this as Oh, yeah, we’re using very moderate compute. We’re, the people that are running the business are going like, No, I’m used to the next generation computers, right? Because one of the cool things about being a technologist in the 80s, and 90s, is I got all the really cool technology before everybody else did. But once the iPhone came out in the early 2000s, suddenly consumers were starting to get better technology than enterprise technologists were right. And so the enterprise is starting to feel like hey, why do I have to wait for it? If I can get this tool technology at home? Why is why are they slowing me down? Right? In so what we think of is modern, it might not be what the enterprise’s desiring, right. And if the enterprise if the CIO and the CISO aren’t perceived as enablers, they’re just going to move you out of the way and go find somebody who they do perceive as enabler. And so this is why we see the rise of boutique IT system integration firms in a lot more outside enablement coming into the business in so tools, like Kaz V, and sassy will help you identify some of this. But it won’t necessarily help you stop the sprawl if the business feels like they need it in so we have to ask ourselves is our control models still effective. And so if we look in the United States, we love traffic lights right in. So


it’s a model that we’re very used to, and we feel like it’s highly controlled. And when those controls go away, we feel lost. In Europe, they’re very used to the more of the roundabout model. And if you look at it just is a model itself. There’s 16 conflicts in a roundabout model. Oh, but in a traffic light model, there’s actually 56 different areas of conflict. And so what we say is, well, with more controls, you know, I get it right. It should actually be better. But if you look at it from a safety standpoint, it roundabouts there’s 75% less injury collisions and 90% less fatalities than ever controlled intersection with traffic lights, right. And so we go well, maybe the throughputs more efficient, actually, it’s not it’s 89% less efficient than roundabouts are, oh, much more costly to maintain a traffic light in the systems that surrounded it the cost of about five to $10,000 more per year. And oh, by the way, if the power goes out, people still understand how to use roundabouts. And we’ve all experienced it what happens when you get to an intersection with where the power is gone, people are very challenged by this right in. So we have to accept that our controls are changing right in in, though we’re comfortable with a traffic light, highly controlled model. It’s not the way that businesses are operating, right. Another thing that I hear both CIOs and CISOs, say is, oh, well, you know, clouds, not really cheaper than, you know, having my own data center. So I’d rather keep my own data center. And it’s like, of course, of course it is. But the reason is, you’re not looking at the in the inversion of it. So let me let me use the example of good old Malcolm McLean. So he was a Scottish immigrant in 1934, he built his first he bought his first truck. And within 20 years, he had the largest trucking industry in the south. But one of the challenges that he had is when he got to the docks, and he went to drop off is good. Sometimes the trucks would be stuck for one or two days, waiting for stevedores to come and unload the trucks. And a lot of times when they did, instead of just taking the inventory off the truck, they would take the inventory, half the box it and then move it into the ship, very inefficient. So he came up with the idea of, hey, wouldn’t it be great if I had a container that sat on the back of the truck, I pull it to the dock, I drop it off, you take it Have a nice day in the ship weren’t interested in it at all. Because from their vantage point, they’re like, well, listen, I still have to take this loaded into the ship. And oh, by the way, it’s really not saving me any money, because it costs just as much to send a ship from Boston to London, whether you created the container, or I created the container. And so he couldn’t sell this concept. So what he ended up doing was buying a few old ships. And suddenly, he brought shipping from $5.86 per tonne, down to 16 cents per ton. Because he saw the problem from when it left the factory to when it got to the consumer. And that’s how we need to look at cloud. How do I take it from not just the things that I save, like server costs and power costs and all that. But why would you ever have patch management again, if you’re in a cloud environment, because if you build it to be flexible, hey, when next meal, next month’s patch comes out, you just burn down the old and bring up the new right? So instead of doing lifting shifts, how do you rework your architecture? These are some of the challenges facing CIOs and CISOs as they move forward.


And then to now is the area of the end of linear thought. And what do I mean by that? So if you go and ask most people, Hey, you have a pond, and you want to put lily pads in the pond to cover the pond in the lily pad is going to double in size every day. At what point will the lily pads have covered half the pond? And about 75% of the people get this answer wrong? The answer is obviously on the 29th day because when it doubles again, it will fill the whole pond. But most people think linearly and not exponentially because the human brain was wired way back when to Hey, I just have to outrun a bear. And you don’t have to have calculus to do that. You just have to have very linear thought, right? And so now the world is changing so rapidly and moving so quickly that it’s hard for the human mind to keep up with it at time. So another great example is ipv4 allows for two to 32 addresses or about 4 trillion addresses. People can get their mind around that, right. But ipv6 allows for two to the 128 addresses, right? And so if you if you try to put that in terms that humans can understand, we estimate that there’s 10 to the 19 grains of sand in the world. Each grain of sand could have a trillion IP addresses in an ipv6 environment. If every atom on Earth had an IP address, we could do 100 More Earth’s right and so now you do get to wood heads of lettuce as they’re being plucked out of the field have an IP address so we can train it it’s it’s a very different thought model and we’re gonna have to adapt quickly. Example I use of this is forever the way that we’ve handled malaria But in in environments where we’re caregivers are trying to do it out is they have to go test the blood, then it has to go to a pathologist, they have to look at it and determine, hey, you know, is this blood infected with malaria, if so, give them the drug, it really slows down the process. In a lot of cases, they’re waiting so long for the pathologists, they just give them malaria injected to the potential patient, just because they don’t want to wait in so UCLA, they created a game that says, hey, this is how you identify if a blood is contaminated with malaria. And they treated it as a game and they trained novice people to do it. And they found that if they trained him that they could get within 1.5% of trained pathologists. And so what this did is it rapidly gave diagnoses to the patient, and save tons of money on giving inoculation, just the people who needed it. And so the models that we’ve always considered in the past are going to change. Other challenges that are coming to the CIO and CISO is if you look at the top technology, twins for 2020, and blonde, cloud based ai, ai, we’re already seeing all over the place using the cloud. And the massive, you know, nobody can afford AI before because you needed all the GPUs in your location. Now I can just use them when I need them in the cloud, sensor based technology and IoT interaction is taking place all over a UI overhauls are taking over, right? Bigger data. So in mostly unstructured, bigger data, so bigger data lakes, you know, bigger implementations that we’re seeing augmented reality and virtual reality is taking over SD LAN and 5g penetration, like why would you ever wire a building anymore, right? And notice what’s notably absent here is a lack of network hardware or what we think of traditional infrastructure. Right? Infrastructure is we see it today is rapidly changing in the CIOs and CISOs are struggling to keep up with that in so


how can the CIO and the CISO start appreciating each other? Right? So what the CIO should appreciate about the CISO is back to what we talked about earlier. Cybersecurity is a number one board risk, right. And so since it’s a number one board risk, the CISO has the ear of the board. And so if you collaborate together and bring projects together, likely you can bring it up to board level visibility. Right? The CISO is also likely to have very deep technical knowledge, maybe even more so than the CTO because the CISO doesn’t have the luxury of not understanding, being able to nor certain technological advancements, they have to understand all technology and how to secure it. So likely they have a deep understanding of how technologies implemented in best practices, and they can help out the CIO. And oh, by the way, hopefully, the CISO has the most visibility of assets in the organization. So the CISO can reach out to the CIO and say, hey, I can help you get your asset inventory, under control, and drive down some costs while you’re trying to transform into another piece of the organization right. With the CISO should appreciate about the CIO is likely since the CIO for so long now has had to understand budget and business implications, right. He can help the CISO faces new challenges of control budget control budgets, where they have to show business enablement, right. And the CIO is likely to have a little bit better understanding of the business priorities, which is key for the CISO to create really good risk management and risk mitigation practices, right. And the CIO is likely to have a little bit better business relationships and business partnerships than just being viewed as an oversight guy like sometimes the CISO is. So bringing these two together really helps in and what really needs to happen is you can have a contentious relationship. But really, if the two are in lockstep together, they can more rapidly innovate safely than before. And so really, they have each other’s needs at heart. They just don’t recognize it a lot of times. And so, what is key for transformations for CIOs and CISOs together? Well, number one, the key component is getting your internal house in order right A lot of times, you’re working at odds with each other on compliance issues and things like that. We’re really you should be partnering with each other of saying, hey, yep, I get it. Yep, these are on an outdated operating system. Yeah, we should patch it. But what we could do is just isolate it, I know the systems aren’t important and going away, boy, let’s talk about the business priorities are really important. And let’s make sure we fix those. So partnering together to make sure you’re working on the right things that give business value. leverage new technology for innovation, of course, you have to do that in so again, the quicker the CIO gets the CISO, when involved, so that they can create a security by design model of new technology will certainly help right, in focus less on technology strategy, and more on business strategy.


And what I mean by that is, again, security, yes, is an oversight function. But the only reason security exists, is to help the business meet their business objectives safely, right. So the way that you can start achieving these things is number one, start working like a venture capitalist, if the projects that you’re working on, can’t return an ROI, or do not show some strategic value, stop working on them. That’s what venture capitalists do. To show the balance sheet, most organizations don’t understand how much technology is being spent in the organization, by the technology team. And by shadow IT, bring all that together, have a transparent balance sheet and have a business value discussion, bring it to the table, just like all the other C suite executives would be that efforts should be focused on addressing business priorities. Again, if a cyber risk program is to fit kingly inside of an enterprise risk program, you have to understand the business priorities that you’re trying to address anyway. So this just steps that up one more, and it also makes sure that the investments that the CIO are making are secured and don’t come back to be bigger risks. And lastly, work together to focus on speed and flexibility. It shouldn’t be an oversight type of thing. It should be more of a hey, our big priorities, we’re gonna start off from Project initialisation to project implementation together is one likely a co executive sponsor on efforts to ensure that you get those things done? So some final thoughts? Right. One of my big heroes is is the the grounds operator of the Apollo program, Gene Kranz right in and I think this is more and more important in today’s world is when I was growing up as a technologist, or was a big effort beside behind, Hey, slow down implementation, but make sure when you implement it’s with perfection, the world has changed. The quicker that we can get to an implementation with some failures is okay, we just have to understand that we got to give it our best, right. And in all use my next quote from Albert Einstein is we can’t solve problems by using the same kind of thinking that we use to create them. Standards and all that super important, right? But this monolithic, very rigid structure that we’ve created, we’re going to have to loosen up some, in order to evolve more rapidly in the recognition needs to happen, that you have to innovate together and take some risks where they make sense and have some rigid rules were dealt. And lastly, you know, the best way to predict the future is to invent it. You can’t always wait for perfection to happen. You’ve got to work together in this is why the role of the CIO in this CISO working together as a marriage instead of separated parents that have to visit each other when they need to, is really the right way to go.


Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden