An effective CIO-CISO partnership is built on trust and the realization that cybersecurity needs to be embraced throughout the organization, according to state of Wisconsin CIO David Cagigal and CISO Bill Nash. Cagigal and Nash spoke with SearchCIO at the recent Fusion CEO-CIO Symposium, produced by WTN Media. In this video, they enumerate the elements that help drive an optimal CIO-CISO partnership and offer pointers on how to evade tensions in their relationship. They stressed that communication between their roles is vital to prioritizing cybersecurity efforts.
What are the secrets to building a strategic CIO-CISO partnership?
David Cagigal: Bill and I have been together for more than four years and we have a relationship built on trust. That’s very important. We trust one another in our wisdom and our decision-making. Secondly, we are looking at trying to develop a sense of importance and urgency regarding cybersecurity, and we share those common beliefs. Lastly, we have convinced the organization that we have the adequate leadership support for funding and addressing these issues.
We understand the importance of communicating the message regarding cybersecurity, its risks, its costs and its importance in all that we do within the state government.
David Cagigal, CIO, State of Wisconsin
Bill Nash: The other piece of this relationship is that I have the good fortune of working with a CIO who is very interested in cybersecurity. As a lot of people know, cybersecurity is not just something for cybersecurity professionals. The whole organization needs to participate and be a part of good cybersecurity.
Cagigal: It’s a constant balance of risk and cost.
What kind of tension do you see in a CIO-CISO relationship? How do you resolve such tensions?
Cagigal: I believe our relationship is more in harmony than in tension because we share common beliefs. We understand the importance of communicating the message regarding cybersecurity, its risks, its costs and its importance to all that we do within the state government.
Nash: As David is saying, it really gets back to the risks. We have the good fortune of being able to talk about those and communicate where they are, and then come up with strategies and a plan to address those in an orderly fashion based on what we can afford to do and what’s the most important to us. It’s not something that’s just a concern for cybersecurity; it’s all about how it could impact the business. If we have an issue, it could cost the state a lot of money, it could cause reputation damage, etc. As long as we are addressing those and talking about those, I think it really makes our relationship very easy.
Who should a CISO report to and why?
Nash: In some organizations, the CISO reports outside of IT and at a higher level. In our organization, a CISO reports to the CIO. In our case, that works very well because David is an excellent sponsor for cybersecurity. He is always very outspoken about the importance of it and helps us carry out our mission. I think the key is, if you have a great relationship it will work in a positive fashion. In my case, it’s very good that it’s reporting within IT because a lot of what we’re trying to accomplish requires the other resources in IT. It’s nice that we’re peers, we’re working closely together to solve the issues together. But if you had an organization where that relationship wasn’t working well, you might need somebody from the outside to push that effort.