CSOs becoming CIOs……A natural progression?
This is something I have talked about before.
Having been in roles in previous lives that has seen me oversee IT as a whole and IT Security (separate roles), I am of a firm belief that a good CSO has what it takes to be a good CIO, if not a better CIO than most out there. I went from the former to the latter (IT head to CSO) but I believe it can work effectively the other way. It’s not a regular thing though and I haven’t to be honest, seen it happen from memory in recent times – ie; a CSO becoming the CIO.
It’s horses for courses and case by case but more and more, I am seeing competent CSOs out there that have a better picture about IT within their business than the CIO does. Now this will upset some CIOs, but as you know, I don’t mind upsetting those that I think are not up to it. (A recent example here and here). And there’s a heap of CIOs out there, that really are not up to it. Can’t recall figures I have posted before but I’ll throw 80%+ out there as a starter now.
I’ve been working with the CSO of a relatively large business and good global brand in recent times. He’s been on board with his organisation for just over 12 months but in that time, has made some amazing inroads in regards to how this organisation views and works in regards to IT security and risk management overall. But, he’s now hit that time that body builders call the “plateau”, and every little “gain” now takes a mountain of effort – far more effort than gains took in his first 6 months at the organisation. He’s almost ready to move to “greener pastures”…..read on:
In his case (unlike many others we see a lot of the time), it’s not that the CIO is being a roadblock intentionally. He’s just maxed out the CIO’s headspace and CIO is struggling to understand what it is that CSO wants to do and why. Fair enough you may say….CSO should be “selling” it better, but at what stage should you cut the “sell” and ask why the CIO as the senior IT person in the organisation just does not get it? You can “sell” it till the cows come home but if someone just doesn’t get it [CIO], when in their role they should, what do you do?
His last resort is a presentation to the CIO (and board) by me. Do I know more than this CSO about his organisation? No, of course not. But external consultants are listened to (for good and bad…it is how it is and we all know that), and maybe having an external party being able to present a broader view of what “others” out there in business are doing, can kick start more gains by the CSO in his organisation. Time will tell but I digress from the topic.
In my view, having spent a good deal of time in this organisation and getting to know the organisation, key stakeholders, their business strategy etc etc, it’s clear to me that CSO has a far stronger knowledge of all of this vs. the CIO.
It’s not because this person [the CSO] is just good at what he does. He is, but a good CSO should know their organisation back to front to be able to be a good CSO and develop a good IT security and risk management program and strategy.
Combined with good business knowledge, you have someone [the CSO] who has that holistic enterprise view – better than most CIOs. What else do they need? Serious question. (See previous links on CIO failures above and ask this question again).
Related posts:
Risk Management – Various Posts
The 7 Reasons why Business are Insecure
Risk Management – Great in meetings, not so much in practice
June 27th, 2009 at 6:15 pm
I have to ask. You have mentioned before also that most CSOs also don’t rate as good CSOs in your opinion so I assume you are talking theoretically, good CSO against good CIO?
I do understand where you are coming from and I do agree in certain circumstances where all the planets align that this is a plausible position.
Most CIOs only survive in their positions for as long as they do because those above them are not in a position to judge quickly enough whether the person they have hired actually is and can do the right thing by their organization. Lifespan of a CIO? 2 years average? Says a lot.
June 29th, 2009 at 7:45 am
Well to a degree yes. Weighing up roles, knowledge, actual input etc – a lot of variables to take into consideration.
July 3rd, 2009 at 4:50 pm
IMHO a good CSO would generally perform well as a CIO due to the breadth and depth of knowledge acquired over many systems, as well as understanding the security imperative.
A mediocre CSO could possibly cause more issues as a CIO, but this does not necessary make them any worse than some existing CIO’s who manage people but do not understand the technologies they are supposed to manage.
As in many companies, the CSO role is still buried under the CIO and therefore this becomes a natural progression if one wants promotion or the ability to pay off a Sydney mortgage.
July 3rd, 2009 at 6:20 pm
Most CSO’s wouldn’t be up to the task IMHO. They have their head so far up the proverbial and are so into their own self importance and greatness of superiority of security that they forget conveniently or because they don’t have a clue about the rest of the job.
July 5th, 2009 at 5:24 pm
LOL.
So many senior IT managers could be accused of the same things.
Small men thinking they are great!
In principle and comparing apples with apples, I believe that a great CSO should in theory make a good CIO. As talked about before, in many cases, this would not be a hard job.
How some of these guys make the money they do for the knowledge and expertise they bring in is just a mystery to me.