Having a single person leading technology and cybersecurity functions can increase efficiency in day-to-day operations, and allow for more pragmatic long-term planning, executives who wear both hats say.
The combination can be particularly effective for small and midsize companies, said Jim Rutt, chief information officer and chief information security officer at philanthropic organization the Dana Foundation.
Security chiefs, many of whom started their careers in technology, are thinking about the future of the relatively young C-suite role, which has already changed dramatically in the past few years. Traditional IT functions such as infrastructure are now cloud-based, increasing the CISO’s responsibilities, while notable legal risks have also arisen for those in the role. Former
Chief Security Officer Joseph Sullivan was convicted of obstructing justice and
executives including CISO Tim Brown are subjects of an investigation by the Securities and Exchange Commission.
This interview with Rutt has been edited for length and clarity.
WSJ Pro: What are the practical benefits of combining the CIO and CISO roles, from your perspective as someone who does both?
Rutt: It’s not only strategically superior to separating roles, or because of the efficiency gains. I think it’s being able to plan and architect systems in such a way that we’ve got security first and foremost, so you don’t have to spray it on afterward. You can bake security in at the outset.
That’s still an issue right now. This is one of the key battles that I keep seeing in the ecosystem. I have a pretty big network of folks in both roles that are siloed, and this is one of the biggest arguments that they have, in terms of trying to define relationships in such a way that they can build an effective security program.
WSJ Pro: What about the challenges that handling both roles presents?
Rutt: Your own challenge is that you’ve now become the go-to guy for all things technology, cyber risk and what have you. I think the biggest challenge of my career was learning how to present risk in such a way that nontechnical and noncyber folks can understand it. That took a number of years.
WSJ Pro: When you say presenting risk, do you mean to the board, the chief executive?
Rutt: Yeah, governing bodies. And peers. It takes a village, because I need the support of all my peers in order to move certain projects forward, whether it be security-focused, or regular infrastructure, or data, for that matter. All these things have a common thread in understanding the risk and the applicability across departments. It means I need to be able to have that kind of conversation in a way that everybody is going to understand all the implications.
WSJ Pro: Do you see this as the future of the CISO role—less strictly on security alone, and more an all-encompassing executive position that wraps in tech, infrastructure and everything else?
Rutt: I certainly think that for a midsized or small organization, the benefits are absolutely clear from the economy of scale, obviously, and also having the management of both areas being combined into one.
But I also think it’s going to be harder and harder to get the right kind of person for that role. It has to be someone that’s not just, as I said, technically focused. They have to understand all the other aspects to the role, from a fiduciary and legal perspective. And there’s the added risk we’ve seen from some of these recent cases such as the Uber CSO and SolarWinds.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
