I recently accepted a new position at the University of Wisconsin-Madison. For the past six years, I have been the Deputy Chief Information Security Officer. besides my responsibilities in backup the CISO, I was responsible for the campus Cybersecurity Governance, Risk Management, and Compliance programs as well as the campus HIPAA Security Officer. This month I accepted being the CIO for the UW-Madison College of Agriculture and Life Sciences. I am looking for other CISSPs who migrated to a CIO role. What was your transition like? What skills did you bring forward to your new role? What skills or approaches did you have to leave behind?
Thanks - Stefan Wahe
@WiscWaheI have not done this myself, but there is some helpful literature to explain the differences and expectations, which may assist you.
"I challenge CIOs and CISOs to work on three areas to improve their partnership for the good of the organization:
I am looking for other CISSPs who migrated to a CIO role. What was your transition like? What skills did you bring forward to your new role? What skills or approaches did you have to leave behind?
Thanks - Stefan Wahe
I have gone back and forth between CIO and CISO roles over my last 4 jobs. I took the skills I learned from each of them and used them to benefit the new role.Being that you have a security background you will be able to work with the CISO to form a collaborative team to improve security while modernizing IT. You will definitely want to leave behind (if you had it) the "Dept of No" mentality that some people in Security have. I had to realize in both roles that when a customer comes to you that the customer has a need. You will need to figure out what that need is and how, if possible, you could create a solution that meets their need while addressing the security concerns.
You need to establish good relationships between the two entities. Since you have a security background you should be able to do this easily. You also have to understand the organizational culture of your new department. Trying to make decisions that go against this culture will hamper your progress.
An example. In one CISO role, I came in to an organization and realized that the IT organizational culture was one of fear. They were behind in their patching because they didn't want to blue screen any computers. We were not in a life or death type of scenario, so the fear was irrational, except if you understood that they (IT) had already had a major mess-up and were unwilling to be the one who screwed up again. This permeated every aspect from patching systems, to updating OS, to taking action against misuse, etc. They were in a very bad situation from a cyber-security perspective. My predecessor was a jerk, to put it mildly. He didn't understand organizational culture so he tried to run his position through fear and control. So IT was very nervous of how I would run the cyber shop.
I quickly identified numerous problems but held off on trying to remedy them as I saw that there had to be a reason for the dilapidated security posture. I found the underlying organizational culture to be the reason. I worked hard on repairing the bridges between departments. I then, considering the culture of fear that was present, had to slowly introduce my ideas for getting the cyber security posture to improve it. Each decision took into consideration the underlying culture. Progress was slow but I earned trust with each department.
I was able to have some success by not being a jerk and using my personal skills to help other people achieve their goals, that also were in alignment with the security goals I wanted to achieve.
If you want to be successful as a CIO you can use some of the lessons learned in cybersecurity to help you achieve. Look at the CIS Critical controls. Use them as a guideline to help get your IT shop into shape while also improving security.