CISOs and CIOs: Why can’t we be friends?

When Barry Caplin stood onstage in Chicago at the most recent Healthcare IT News Privacy & Security Forum this summer, he put it plainly: “I’m going to talk alignment. And connections. And outreach.”

Caplin, chief information security officer at Minneapolis-based Fairview Health Services, paused for a moment.

“And love! How about some love for the security industry? Because none of us got into to security to be popular. In fact, quite often, when security comes a lot of folks are going in the opposite direction. They don’t wanna see us.”

The title of Caplin’s presentation, which delved into the often fraught relationship between hospital CISOs and their close colleagues, chief information officers, was “CISOs are from Mars, CIOs are from Venus.”

After all, these are two C-suite roles that have very important jobs – and different ways of looking at things.

“We come from different worlds,” Caplin said. “I’m a security person. I come from a technical background. I was a developer, I’ve done all those geek things. A lot of people who have moved up to a CISO role, a lot of folks in that area come from a technical background. We’re engineers, we want to fix things.


Meanwhile, “a lot of IT folks, CIOs in particular,” come from the business side. They think in terms of budgets and project management.

That means two separate groups that speak different languages, strategize using different techniques and use different tools.

“I’m the CISO, and I can wield the Sword of Antivirus!” he said, to laughter. “Or make it the Lightsaber of Total Endpoint Protection! Or the Shield of Next-Gen Firewall!”

But CIOs brandish an entirely different set of weapons: most notably, “the Scepter of IT Budget.”

Not for nothing, “it’s hard for (CISOs) to do our jobs without that critical tool,” said Caplin.

Coming from these very different viewpoints, relationships between CIOs and CISOs can at times be contentious. But that has to change.

First step? Understand where each other is coming from.

“In security when we talk about threats, we’re thinking about hackers, about malware,” said Caplin. “Nation-states. Hacktivists.”

But CIOs have a different idea of threat and risk. “Being overtime and over-budget,” he said, are atop the list of things that keep them up at night.

Security folks think in terms of the classic probability/impact matrix, and how to balance threat response accordingly: “For a CIO, not meeting the business need is a core, critical risk.”

Understanding those different worldviews is key to overcoming friction points and moving toward a common goal. After all: HIPAA breaches, hacks and cyber attacks affect everyone. They’re not just problems for CISOs. They’re one of the biggest threats to the very business continuity CIOs are sworn to defend.

“We’ve got to figure out how we get together and meet in the middle,” said Caplin. “We need to unite against that common enemy.”



Leave a Reply

Notify of