The Amrop Digital Interviews: Martin de Weerdt, CIO Randstad Global
“When hiring a CIO, having had an experience with a serious security issue is a must.”
With large-scale digital transformations moving at an ever-faster pace, organizations are paying much more attention to their information, cyber, and technology security. The tension created between the priorities of enabling business objectives through technology and maintaining a robust security posture is especially challenging in terms of CISOs reporting to CIOs.
Amrop’s Global Digital Practice together with global search partner JM Search has been studying common areas of C-suite tension through a series of interviews with CIOs and CISOs in Europe and the US, to gain their perspectives on how to approach and manage these challenges.
In the first in our series of interviews, Job Voorhoeve, leader of Amrop’s Global Digital Practice, interviewed Martin de Weerdt, CIO at Randstad Global, a global leader in the HR services industry.
Q: There often appears to be tension between the priorities of enabling business objectives through technology and maintaining a robust security posture. What have you found to be the specific areas where this tension most clearly manifests itself?
A: Randstad is a people company - we hold a tremendous amount of information on people all over the world, millions of records, so for us security is very, very important. There’s always a level of security to which you can get within reason and within financial boundaries. So, I think the key thing is to focus on where the risk is the highest. It all needs to be in balance, and there are things that definitely need to be done immediately, while other things might require a bit more time. Security is a very rapidly changing field, since threat actors invent new approaches every day, and trying to stay ahead of them is an ongoing challenge.
Q: So, it’s about balancing priorities?
A: Yes, and I think there needs to be a very sensible conversation between the CISO and the CIO, as well as the business that eventually needs to pay for everything we do – about where we place the priority. What I’ve learnt from it is that you’re never going to be 100% watertight – it’s impossible, because there are threats arising every day, there’s always something new and we are the leading talent company in many countries all over the world. So, I’m quite sure that there will be areas where we need to work hard to keep up and balance risk and investment very thoughtfully, but this is also a way to be as good as we can be.
Q: What from your perspective are the pros and cons of the CISO reporting to the CIO vs. working as peers?
A: In reality, one does not necessarily exclude the other. The key question is how understanding is the CIO of the CISO role, because mutual respect is crucial. They both have their own agenda, but, at the end of the day, both are working towards creating the best possible IT structure in a secure way. And what that exactly looks like, I think, can be worked out between the CISO and the CIO on both the central and local levels. I don’t think that the reporting line is that important, but I think it’s crucial that the CISO has an opportunity to raise the alarm if the CIO doesn’t want to listen, to make sure there’s balance in that relationship.
In our organization the CISO doesn’t report to the CEO, but to me; however, they have an open door to the CEO anytime it’s necessary, and same for the Supervisory Board. I’ve introduced them, and they have a direct link now.
Q: What have you found to be the best practices to effectively address these tensions? How do you go about building that relationship?
A: In the case of our organization, we’ve created a measurable security strategy – where do we want to be great and where do we want to be good enough at any point in our journey. Of course, the CISO’s role is basically to deliver the security strategy, but they need to do it together with my organization. So, once we’ve jointly established the plan, my job is to make sure that the local CIO organizations actually deliver on the projects we’ve agreed to improve and our CISO needs to ensure that we deliver what we agreed. So, it’s very much a dance for two, a collaboration.
Q: Unfortunately, it doesn’t always work out so smoothly, right?
A: I think, if you have a CIO who’s diametrically opposed to the CISO, or the other way around, you’re never going to be successful, because you’ll spend more time debating and creating resistance, than just addressing the issues. And it’s not an issue of beliefs or feelings – there’s fairly particular measures you can use to check your security, and there’s clear choices you can make with regards to the level of security which need to be a necessity. And once the choices are made, it’s all a matter of execution, which I think you should do hand in hand.
Q: But from your perspective as a CIO, I think it's important to understand what the CISO is doing, right? Because in the case of your organization the CISO is dealing with a lot more political and global issues, considering there are requirements coming from NIST.
A: The CISO in this case could be called the process owner. What you need to specify is the definition of “good” – and not just in isolation but in cooperation with the rest of the business. That’s the CISO’s job. And their job is also to measure how well we’re doing to achieve that definition of “good”. The CIO’s job is to deliver the work that’s required to achieve that – it’s a fairly simple split. And you don’t want the CISO to own the security measures because then you get the butcher who’s checking their own meat. So, the CIO’s organization’s job is to deliver upon the definition of “good”. The CISO’s role is to define “good” and measure how good we really are over time, and if there are any gaps. And then there’s the long-term strategic approach. Of course, if there’s an issue, or a challenge, or a threat, then the CISO very much controls the process of managing it, reminds us to control the resolution of it where we can, by technical means.
Q: So, make it available.
A: Yes. And I think there is a distinction between the functional hierarchy, which I find to be less of a relevance, and what I would call the hierarchy of expertise which, I think, should prevail, depending on the situation. So, if it is about security, I'll gladly follow our CISO’s guidance, and if it's about how we deliver what is required, I presume, they will gladly follow mine. It must be a symbiosis of skills, knowledge, and experience.
Q: Thank you for that! What advice would you give to your fellow CIOs and/or CISOs to best manage this relationship?
A: To simply treat the CISO as your critical best friend. I think working with a CISO is almost like your relationship with your doctor. Either trust the doctor on medical issues, or do the surgery yourself... You need to trust the person’s knowledge, and if you're not willing to do that, then I think you need to find a different CISO, or the organization needs to find a different CIO.
Q: Interesting, because we were talking just before with one of the other interviewees that in the US a couple of CISOs are reporting to the Chief Legal Officer.
A: In that case the CISO becomes almost like a part of the audit committee, and that’s, in my opinion, a very risky situation. In our case the CISO is very much part of the IT management team, we’re in this together, and it’s far more fruitful. It’s not just because we share the understanding of the technology but also because we share KPIs. Then they are like a friend, who has an expertise in a particular area much more than having someone who checks your homework.
Q: What governance standards need to be in place to make sure that a cybersecurity framework aligns with organizational goals and industry security requirements?
A: We’ve created this CISO organization where we have a CISO in every region. They all report to the global CISO, and we pay for them from the central budget – the line of reporting is very clear. They of course work closely with the local CIOs, but they don’t necessarily report to anyone other than to the global CISO, which is very deliberate due to the independent role that they need to have. It actually goes against what I just explained to be the dynamics between our CISO and me, but, at our level, we’re able to handle that. And we’ve created a very clear issue escalation process, where we described in detail what needs to be done in case of an emergency.
Q: So, you have implemented a more solid line of reporting - from the local CISOs to the global CISOs.
A: Yes. Just like the local CIOs report to me, the local CISOs report to our global CISO.
Q: So, when we talk about going up a level, what are your best practices when it comes to you, the CIO and the CISO communicating in a unified way to the Board and the Executive Leadership Team?
A: We have a regular quarterly update, which works very well, because it’s a mixture of what happens in the world in terms of security – it’s basically a refresher about the constant attacks that are happening – and we also give an update about the issues we’ve had. We talk about how we’ve handled those issues, and we also mention issues that partners we work with have experienced. Last but not least, we report against our strategic plan on how we want to improve our security posture in line with the NIST model.
Q: It means that the CISO really needs to also understand the complexity the CIO is dealing with within the IT organization. On the other hand, the CIO really needs to understand the risk audit side or the process, right?
A: It helps if you have a CIO who has gone through a security issue at least once - to know how painful it really is. It certainly gave me a better understanding of why security matters. Let's put it this way: I would not hire a CIO who has never had a security issue, because it is a daily situation these days.
A very special thank you to Martin de Weerdt for his insights and thoughts!
For more perspectives from former CISO’s and CIO’s, read the full study on CIO & CISO: Managing Tensions and Working Together.
To find out more please contact Job Voorhoeve or the Amrop Digital Practice members in your country!