John Germain, CISO, Duck Creek TechnologiesCombining IT Infrastructure and IT Security leadership into a single role offers opportunities for process efficiency and better resource allocation.
It was early in 2014, and I had been in my role as CISO for a recent spin-off business for around a year. I had been with their parent company for about 15 years prior, and although the transition was challenging, I was excited to be part of something new. Everything was going well and I was enjoying being knee-deep in launching a new security program, even with all the challenges and opportunities that came with a moderate budget and limited resources. Then one day the CIO approached me with the idea of combining IT Infrastructure and IT Security under my leadership. Prior to beginning my career in information security, I had spent ten years as an IT Infrastructure leader, and the CIO was looking for help there.
"The conflict stems from demands on IT Infrastructure to provide faster, more agile solutions with increased focus on mobile and cloud capabilities.”
Knowing that there might be conflict between the roles, I was hesitant, though flattered. The conflict stems from demands on IT Infrastructure to provide faster, more agile solutions with increased focus on mobile and cloud capabilities. For security, this represents risk and managing this risk often time comes at the expense of some benefits of these technologies.
As I thought more, however, I decided it might accelerate some of the security initiatives I had prioritized, and could offer me the opportunity to influence our overall IT strategy in a way that embedded security in everything we did. Add in a promotion and a nice raise, and it was hard to say no.
I held that role for four years, and have thought a lot since then about what worked well and what our challenges were. I also thought about whether this approach eventually could become an accepted organizational model.
In fact, over the past few years, I’ve seen many more executives holding this dual role, which is not surprising. Based on my experience, this approach can be very effective. I will add the caveat that success depends on several factors, such as the type of business, the maturity of their IT organization, and the ability of their leader to drive a balanced approach.
What Worked Well:
• Budget: Having a combined budget helped my ability to fund security initiatives by focusing on infrastructure architecture investments. And I was able to do it through the lens of security in a cost-effective, balanced approach.
• Staff: The number of employees in my organization increased twentyfold, giving me the opportunity to cross-train and to staff initiatives without increasing head count. There is a lot of security talent within infrastructure that can be unlocked, and as you optimize your infrastructure you can reassign freed-up talent.
• Architecture and Standards: We built security into the foundation of IT by design. We leveraged industry standards, common frameworks, and best practices, and provided a secure infrastructure that was modular and agile. Security became embedded in the process, not an afterthought.
• Audit and Compliance: As we were building IT processes and solutions, we were accounting for audit and compliance considerations and making tracking and reporting more efficient.
Potential Risks:
• Perception: The biggest risk in play is the perception of security as an “IT only” responsibility. However, security must be a focus of every part of a business, from the board of directors down.
• Balance: There’s a necessary tension between security initiatives and delivering the business’ IT demands. Managing risk requires checks and balances. If the leader favors - or is pressured to favor one over the other, having a combined organization may diminish this healthy tension.
• Priorities: Related to the above, a shift in priorities between the two functions is hard to avoid. Keeping the business running always will take priority over preparing for emerging threats. This becomes evident when you’re considering investments, projects, and resources.
• Reporting: In a similar role, you will report to the CIO. For companies requiring more focus or visibility on security, this may not be ideal.
Ultimately, I succeeded in this dual role for several reasons. First, I was at a young company in a perfect position to build a foundational approach to infrastructure and security. Second, I had strong experience in both areas, as well as the trust and support of our senior leadership. That experience showed me that rethinking the ways we organize our workflows, departments, technologies, and staff resources can have a major impact on the way our organizations grow and innovate.
The main takeaway I would hope to impart is that evolving as an organization is about more than just replacing legacy technologies. It’s about reimagining every aspect your business, and building a fresh and productive future around new ideas, new solutions, and new ways of viewing your unique advantages as a company.
