CSO Perspectives (Pro) 3.13.23
Ep 102 | 3.13.23

The CIO/CISO relationship.


Rick Howard: For the newbies out there who may not be aware of the history, Citigroup hired Steve Katz to be the first-ever chief information security officer, or CISO, back in 1995. Here's a clip from an interview Steve did in 2020 with Cybercrime Magazine about that historic event.

Steve Katz: I'm Steve Katz. I have the pleasure of being the world's first CISO, which originated at Citicorp in 1994, '95. I was running information security at Morgan Guaranty or JP Morgan Chase. I'm not sure what the title was at the time. And the rumor on Wall Street was that Citicorp had been hacked. I got a call from a recruiter asking me if I'd be interested in speaking to Citi about a position in information security. It's going to require board approval because the hack did get board attention. And the title would be chief information security officer, which was the first time that title had ever been used. And they really gave me two basic charters. One was, you know, you had to hack, so you have a blank check to set up anything you want. We want to make sure it doesn't happen again. And we want you to build the best information security department anywhere in the globe. 

Rick Howard: Interestingly, even back then with the Citigroup board mandating that the leadership team hire the first-ever executive to be in charge of information security, Katz's boss was the Citigroup CIO, which set the precedent. Even today, almost 30 years later, most CISOs in the world still work for the CIO. I thought it was about time to explore this relationship in 2023 to highlight how it has evolved over the years and maybe forecast where it might go in the future. So hold on to your butts. We've got some educating to do. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old US of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 

Rick Howard: I'm pleased to have at the CyberWire Hash Table today two IT and security leaders, longtime veterans in the field from a company called Ceridian. Ceridian makes a SaaS-delivered human capital management suite called Dayforce. And Carrie Rasmussen is the CIO, and Colin Anderson is the CISO. Carrie, Colin, thanks for coming on the show. 

Carrie Rasmussen: Thanks, Rick. Thanks for having us. 

Colin Anderson: Thanks for having us. 

Rick Howard: So today we're talking about the CIO-CISO relationship. And specifically, how do these two executives, who typically have two distinct mandates from the company they work for but have overlapping responsibilities - like you two, I've been doing this stuff for a long time, and there generally seems to be about three working models. And see if you guys agree with me on this. 

Rick Howard: The first one is the CIO and the CISO work for the same person on the executive staff, and the two coordinate within that organization, or they work for different people on the executive staff and have to coordinate with each other outside of normal channels in a kind of matrix approach. Or the third way, the more common way, I think, is that the CISO works for the CIO in a subordinate manner. So, Carrie, let's start with you. First, in your experience, are those three models capturing everything, or do you see other models? And how do you guys do it at Ceridian? 

Carrie Rasmussen: Yeah. You've captured the models very well - well-stated, right? You see that in different industries and different maturities of how far companies are advancing based on their risk profile. Here at Ceridian, Colin and I are peers. We both report in to the chief operating officer. So you might say we have competing priorities, but I like to say you're going to see that we actually have very common goals together. 

Rick Howard: I think that's the perfect model, in my own view. Out of the three models, I think both those - both executives, the CIO and the CISO, working for the COO - that's the perfect way. Colin, how do you - what do you feel about all that? 

Colin Anderson: You're actually right. You know, the models have changed over time, and I do think that more forward-thinking organizations now realize that the CIO and CISO need to be peers. You know, they have, in many cases, common goals. And that subordinate relationship - you know, when IT was - when security was a factor of IT, that made sense. But security - cybersecurity is very different these days. 

Rick Howard: Well, I have to say, too, I've seen all models work, OK? So it depends on the culture of the company. I've also seen all models crash and burn. So it isn't like there's one better than the other. But I prefer the one that you guys are in. I think that's the best way. So, Colin, I was looking at both of your LinkedIn profiles. You and Carrie overlapped at Safeway in similar roles, and you both took jobs with other companies since but ended up back at Ceridian. So was it pure serendipity that you came back together, or was there some sort of plan? 

Colin Anderson: (Laughter) It was our master plan. No. 

Rick Howard: To control the world. 

Colin Anderson: Honestly, it was complete serendipity. I joined Ceridian early 2021, and at that time, the organization was looking for a CIO and our now-CEO said, hey, we're talking to this woman named Carrie. What do you think about her? And I said, you know, go get her, you know? 


Colin Anderson: And so it's actually been wonderful to reconnect with Carrie and be part of the same leadership team again. 

Carrie Rasmussen: Yeah. Yeah. I'll start with a little bit - just the general CIO role, right? 

Rick Howard: Yeah. 

Carrie Rasmussen: Years past, it was more of an infrastructure play with the team that, you know, worked out of the data center. They took care of the servers, the hardware, the laptops, your devices, and it has since grown. The CIO is no longer, you know, looking at the bottom line. We're looking at the top line. The demands and pressures upon me and my role, which I truly welcome, is really around - about business enablement, right? And you've seen that shift with the shift in technology, right? 

Carrie Rasmussen: We've migrated away from, you know, homegrown technology to outsourcing, in a sense, some of that infrastructure supportability and staff and application management to now, how do we consume that technology to solve business problems? And, you know, for a CIO, it's great to be at the big table making business decisions and, you know, frankly, being relied upon to driving, you know, our company's strategies, goals and objectives. It's a great place to be. 

Rick Howard: Would you say it's fair to characterize it this way, that we - CIOs no longer are just keeping the lights on in the data center, but now you're involved in the strategy of the company, innovating for the company in the digital space? Is that the arc of the CIO in the last 20 years? 

Carrie Rasmussen: Absolutely. We're involved in everything around how we create that flexible workspace so our talent team can recruit, how we work on environmental impacts, you know, with our ESG team around carbon footprint. We are involved in everything now. And again, like I said, it's a great place to be in a technology leadership role. 

Colin Anderson: Colin, I'll pose the same question to you. What's your take on how the CISO role has changed in all that time? 

Colin Anderson: So the CISO role has changed dramatically in the last 10 years. There was a point in time where security was an IT problem, and that time has passed. Cybersecurity is a business problem. It's a business challenge. And so I'd say a year or two before that, you know, 2013 Target breach. 

Rick Howard: For the youngsters out there who have never heard of the Target data breach, it happened in 2013, and it was one of the largest retail data breaches in history. It was the kind of breach that the InfoSec community had been warning business leaders about for years. The hackers impacted about 40 million customers during the holiday shopping season, and they gained access to Target's computer systems through a third-party HVAC vendor's login credentials. This is one of the first publicly known breaches that demonstrated weakness in the supply chain. 

Rick Howard: The hackers installed malware on Target's point-of-sale systems, which allowed them to capture customers' credit card data as it was being swiped. The hackers then sold this data on the black market or used it to create counterfeit cards. The breach resulted in a significant financial impact on Target, including loss of sales, costs associated with the breach response and legal settlements. 

Rick Howard: In 2015, the U.S. Department of Justice announced charges against Artem Vaulin, a Ukrainian man and the mastermind behind a popular piracy website called Kickass Torrents. While the FBI investigated the piracy website, they discovered Vaulin talking to the Target breach hackers, Dmitriy Shishkin (ph) and Sergey Tarasov. The FBI arrested and extradited them from Ukraine in 2018. They also arrested Roman Valeryevich Seleznev in 2014 for his role in a number of high-profile data breaches, including Target. 

Rick Howard: After the break, I'll talk with Colin and Carrie about strategies for how the CIO and CISO can work together. So come right back. 

Colin Anderson: Things started to shift. CISOs were reporting to board of directors, to senior executives. They were curious. They were interested. They were concerned about cybersecurity. And that infamous 2013 Target breach really changed the role dramatically because at that point in time, businesses realized what a critical risk cybersecurity could be to their business. And I think since then, the CISO role has changed dramatically. The scope has changed. The level of engagement has changed. I mean, I'm talking to my board members, senior executives every month. That was a level of engagement that I didn't have 10 years ago. 

Rick Howard: So - but you two have worked together for many years now in two different organizations, and clearly it's a successful partnership. But even great marriages have bumps along the road. So, Carrie, was there one or two challenges that you two had to overcome to be successful together? Did you have to figure out the... 

Carrie Rasmussen: Yeah. 

Rick Howard: ...Lanes in the road kind of? Yeah. 

Carrie Rasmussen: Well, like, you know, you said it well. It is a partnership, right? And the more we can align our goals, you know, the easier that working relationship in marriage might be, right? For us, really, where Colin and I sometimes would differ is risk versus reward. In one side, you know, I'm being relied upon to help grow top-line sales, to help reduce operating costs, right? And you have to balance that with the risk and the reward, and that's where Colin has to come in with his lens of, what is the risk? What is the potential impact? And what are we willing to accept, right? 

Carrie Rasmussen: So - and that's where you have those more, you know, good conversations - right? - about what truly is best for the company, right? And I think with Ceridian, you know, we really have an amazing culture around transparency, collaboration, and it's really defined in how we solve problems together and how we work together. And so, again, we can have those debates, but at the end of the day, we're going to align on what's best for the company. 

Rick Howard: I like that you brought up risk as the way you measure that and how you make decisions one way or the other. Colin, what's your take on that? Is that the - that your view of the world also? 

Colin Anderson: So there's always going to be trade-offs, and there always has been. You know, with technology, with cybersecurity, you are looking at the overall risk to the business, and so sometimes hard choices have to be made. And so I think Carrie said it very well. Those are the challenges, and it's often just a perception or, you know - we both prioritize cybersecurity. 

Colin Anderson: I love having a CIO that, you know, kind of shares some of my same views on this, but she's - has different challenges. She's being asked to, you know, drive down costs, maybe grow the business, and so she's having to focus on investments that help the business in that manner, where I'm looking at, how do I enable the business to grow into new businesses, protect that profit, minimize the risk of growing that top line that we're both focused on? 

Rick Howard: Well, we're - we've been talking about the evolution here, and I think one of the arcs that I've seen is that, you know, in the early days, security folks just said no to everything, right? And these days, it's all the risk-reward calculation that you're talking about, right? That's kind of the big change, right? 

Carrie Rasmussen: It really is, right? And that's what I know Colin spends a lot of time - is educating our leadership team on those risks, right? And so I can come in as a great partner and help strengthen those messages and take it from even my perspective, right? And so none of us want to say no. It might be a not-at-this-time, or it might come with, you know, other caveats that we have to address. We want to be seen as enablers. We don't want to be seen as the no department, right? 

Rick Howard: Exactly. 

Colin Anderson: And, you know, the CISO - the cybersecurity cannot be the office of no. We have to be enablers. We have to be like and-but, you know? We have to find those win-win solutions because we don't want to impede our business growth. We want to enable it. But we want to do it in a smart, planful manner. 

Rick Howard: So you guys know that this podcast, "CSO Perspectives," is a podcast about cybersecurity strategy designed for the security executives. So, Colin, let's start with you on this question. When you two put your heads together for Ceridian, what's the first principal strategy that you're trying to accomplish? I mean, if I made you put the strategy into a 280-character Twitter line, what would it be? What's the goal there? 

Colin Anderson: It's easy for me. It's customer trust. At the end of the day, you know, we're a SaaS business. If we don't have the trust of our customers, we don't have a business. So it is - my job No. 1, protect customer trust. 

Rick Howard: What do you think, Carrie? Are you buying any of that (laughter)? 

Carrie Rasmussen: Absolutely, right? If - you know, we are in the business of commercial software sales. And let me say, our customers' security comes first. It even comes first with me, right? So Colin said it best. And so - and again, it comes down to a balance of, how do we do that and continue to advance in other areas? 

Rick Howard: So let me give each of you the last word here on a final takeaway. Colin, we'll start with you. Is there some piece of advice that you could give CISOs and CIOs that might be listening to this that would help them along their journey? 

Colin Anderson: Start with trust. You got to - any relationship, you need that foundation of trust. Fortunately, Carrie and I had that from a previous, you know, working relationship. So we started, you know, with that already in place here at Ceridian. Make sure you've got clarity of roles and responsibilities, how you can collaborate and work towards common goals. And communicate, communicate, communicate. You know, all of us as leaders, we're hard charging. Our heads are down. We're trying to deliver things, and we sometimes don't pause and stick our head up a little bit and just make sure that, you know, Carrie knows what I'm working on and I know what Carrie's working on so we can support one another. 

Rick Howard: I think that's really good advice - right? - taking time to make sure you're both on the same page. That's really good. Carrie, how about you? Any last words about - advice for other folks? 

Carrie Rasmussen: Yeah. 

Rick Howard: Yeah? 

S3: Rick, you know, I took some notes down and said, what are, like, the top-five things that are top of mind for me, like, in the next few years? And really when I - and I'll kind of run through them, and when I run through them, a lot of them have a cybersecurity, you know, line to it, right? So if you look at - just balancing risk is, like, No. 1 for us, right? How do we move forward with balancing risk? Data protection, right? You normally would hear a CISO talk about data protection. As a CIO, you know, it's going to be one of my No. 1 things. My data is in SaaS-based systems, right? So it's leaving my environment. How do I make sure data protection as we continue to leverage cloud and we grow? Citizen developers, right? 

S3: We have a new generation, Gen Z, coming in - right? - to our workforce. How do we balance these folks who are tech savvy and expect things to work? So if you really think about some of the things that are coming my way - talent, all the things that, you know - they all have an undercurrent of a cyber threat in the cyber lens. So, you know, in one side, I have my own mandate, but I have to share Colin's. And that is my greatest advice to any other CIO out there to be successful. 

Rick Howard: I said at the beginning of the show that I don't think there's a right way or a wrong way for who the CISO reports to in an organization. I've seen it work in all kinds of configurations. The CISO works for the CIO. The CISO and the CIO are peers working for the same boss. And the CISO and the CIO are peers working for different bosses. I've also seen each of those cases morph into dumpster fires, too. It all depends on the personalities involved, the culture of the company and the mandate that the senior executive team has given to both parties. I was talking to Steve Winterfeld about this. He's the Akamai advisory CISO and a regular visitor to the CyberWire Hash Table. Here's what he had to say. 

Steve Winterfeld: Rick, I think, you know, the relationship of reporting to the CIO or CFO or anybody really comes down to the culture of the company and access to senior leadership. It's less about who you report to and a culture of collaboration and access to senior leadership, like a board who truly cares about security. So a lot of different models out there - but ultimately, for me, I want to work somewhere where there's a culture of caring about the customer and security. 

Rick Howard: I don't want to admit this in public or anything, but I think he's right about that. Don't tell him I said that. I'll never hear the end of it. The bottom line for me is that the CIO is trying to innovate for the company, and the CISO is trying to reduce the probability of material impact due to a cyber event. Just keep this in mind. Those two ideas are not in competition with each other. It's possible to do both. Just look at the example that Carrie and Colin have set at Ceridian. 

Rick Howard: And speaking of those two, I want to thank Carrie Rasmussen, the CIO of Ceridian, and her partner in crime, her peer Colin Anderson, the CISO, for coming on the show and helping us get our hands around this topic. 

Rick Howard: And that's a wrap. As always, if you agree or disagree with anything I've said, hit me up on LinkedIn, and we can continue the conversation there. Or if you prefer email, drop a line to csop@thecyberwire.com. That's C-S-O-P, the at sign, thecyberwire - all one word - dot com. And if you have any questions you would like us to answer here at "CSO Perspectives," send a note to the same email address, and we will try to address them in the show. 

Rick Howard: Next week, I'll be talking with Todd Inskeep. He's the founder of Incovate Solutions. He and I got a presentation accepted at the upcoming RSA Security Conference, so we're going to give everybody a preview of what we're going to talk about in that presentation. You don't want to miss it. 

Rick Howard: But before we go, I have a few reminders. I mentioned last week that we're publishing a book based on the "CSO Perspectives" podcast - all of the first-principle shows from the past three years. It's called "Cybersecurity First Principles: A Reboot of Strategy and Tactics." And we're rolling it out in time for the big RSA Conference shindig in April of this year. You can preorder your copy now at Amazon. The link is in the show notes, or you can just go to the Amazon webpage and search for the title. You can't miss it. And if you're traveling to the great state of California for the conference this year, I'll be signing copies. 

Rick Howard: I'm scheduled to be at the conference bookstore located in Moscone South at 3:30 Pacific time on Wednesday, 26 April. I would love to see you there. And like I said, I'm giving a presentation just before the book signing with Todd called "The Emperor Has No Clothes: The Current State of the CISO." So if you're in town, please join us. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.