What CIOs and CISOs Want
What do Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) want? They often care about many of the same things, but also a few things that are different. First let’s explore how those roles came to be.
My first summer job in the early 1970’s between my sophomore and junior years of high school was writing applications software for a mid-sized steel manufacturer in Rhode Island. The company’s data processing (DP) operation was so small that there was no formal DP organization. The few of us that had responsibility for either operating or programming our IBM System/3 model 10 computer system reported to the company’s general business manager. DP there was not yet considered strategic to the business and was mostly just a new-fangled way of automating the normal accounting functions, generating reports about things that had already happened, and helping to improve the accuracy of inventory management.
During the next two summers I was a programmer and systems analyst for a large retailer that ran mainframes from NCR and IBM. The DP market was now experiencing explosive growth, and we all reported to a manager of Data Processing, which was soon to be renamed Management Information Systems (MIS). MIS reported to the CFO, as the IT world was still years away from having direct “C-level” executive representation in most organizations. I remember distinctly how we liked to joke about how we believed that our MIS efforts were measured in our shop: “If the phone doesn’t ring, then we’re doing a perfect job!”. And mostly, the phone didn’t ring.
I believe that what mostly influenced the evolution from DP/MIS to the need for a CIO role was a fundamental change in the nature of how, and where, information is generated, shared, used, and protected. The “I” (for “Information”) in “IT” has always been what it’s really all about - and not as much the “T” (technology). What was once an entirely technical realm, centrally focused on operational efficiency to serve a very small number of information consumers, exploded into becoming an ubiquitous utility that permeates all aspects of an organization's operations. It was the level of necessary cross-functional executive communication and accountability associated with Information that created the CIO role. Suddenly the role required a deep understanding of the business, not just the technology. I recently wrote an article for Forbes that describes the rise of the CISO role to complement that of the CIO.
So what do modern CIOs care about? Carrying forward from the earliest days of DP, they must still care about the basic operations of the infrastructure that supports your organization's information. But in today’s world it’s not just your own organization’s information creators and consumers that must be appeased, but also your customers, suppliers, and the public. As a result, service level objectives (SLOs) have radically changed.
For decades SLOs for information systems availability have been described in terms of “how many nines” of availability. I’m old enough to remember when 99% (“two-nines” – 3.65 days of statistical down time in a full year) availability was considered acceptable by most. There was a particularly long stretch through most of the current millennium when 99.999% availability (“five-nines” – 5 minutes and 26 seconds of statistical down time in a full year) was considered leading-edge. Today, anything less than continuous 100% availability is neither competitive, nor typically acceptable. This means all information must always be available, even as the underlying technology that supports it is upgraded or changed, and as individual components fail. This is like requiring a car to never fail, and to be able to keep driving and transporting passengers while the engine is upgraded, the tires are changed, a new paint job is applied, and additional passengers are added. CIOs care that their organization's data is always available, all the time.
Performance SLO requirements have changed too. Technology has advanced to the point where most solutions in the market, from most sources, can comfortably meet most application requirements for both bandwidth and I/Os per second (IOPS), most of the time. The new battleground for performance is latency, which primarily affects real-world application response time. Organizations gain competitive advantage and differentiate themselves by being able to have their applications respond faster for their users. CIOs care that their systems provide their users and customers with better response times than their competitors.
But SLOs are really the “keeping the lights on” part of the CIO’s role. What drives and motivates CIOs is being able to use information strategically to better their organization and its business, which is why in most major enterprises the CIO reports directly to the CEO. Effective CIOs build solutions that facilitate information being used in predictive ways to influence decisions based not just upon what has been, but what they can divine from what information predicts about what will be to come.
Information security has always been important, to protect information and systems access and usage well beyond the necessary traditional protection against infrastructure failure. But CISOs have some extra challenges that CIOs don’t.
One is the need to find the right balance between ensuring the appropriate level of protection, but not so heavy-handed that the right people can’t easily get what they need, when they need it. Years ago, I had a fascinating discussion with two different organizations that each envied the other. One had implemented an environment where nothing was accessible unless explicitly allowed, where the other had an environment where everything was accessible unless explicitly denied. Both thought that they were initially doing the right thing but learned from experience that a better balance was needed to satisfy their business.
Another is the need to keep pace with constantly changing regulations and compliance requirements, such as the recently signed US Federal law the “Cyber Incident Reporting Act” (March, 2022). With new and different threats constantly changing, and new laws regarding security always evolving to address them, the only thing that is certain, is change.
It is the wise CISO that follows that famous message from Intel founder Andy Grove: “only the paranoid survive”. A good CISO does everything practical to try to prevent security breaches or compromised systems, but takes the attitude that despite their best efforts, the worst will eventually happen anyway. They prepare for, and continually test, data recovery from every imaginable worst-case scenario.
So, what do CIOs and CISOs want? A seat at the highest table in their organization, so that they can deeply understand the business, and directly influence the most important decisions to support their organization. They need cross-functional cooperation and support from all other functions to achieve mutual success. They need funding for their efforts that reflects what is truly necessary to do their jobs right.
And it doesn’t hurt for their CEO and boards to understand, recognize, and thank the CIO and CISO for their efforts. If information is used for strategic advantage, the right people get the information they need when they need it, information is well protected, and recovery is rapid and with minimal to no data loss when compromised, then The CIO and CISO deserve high praise. But usually you can tell that they’re doing a great job through a simple observation: their phone doesn’t ring. :-)