There’s no question that CIO and CISO roles have changed in recent years. But have hiring managers adjusted expectations accordingly? The question intrigues Wayne Brown, the founder of the Center for Higher Education Chief Information Officer Studies.
Brown, a former CIO in higher education, industry and the military, conducts an annual study of IT leaders on campus. He spoke with EdTech about hiring trends and how they do — or don’t — help to further the IT agenda.
EdTech: Do the perceptions of CIO and CISO roles differ from what those jobs actually require?
Administrative leaders look at the CIO as a very technical position, and they apply that to the skills they think are needed for a CIO to do the job. But the more important parts of the job are leadership and communication. When you ask CIOs about the skills they need, those are always No.1 and No. 2, and have been for the 15 years that I’ve done this work.
A lot of the skills needed to be a CIO are the same skills needed to be a CISO. If you want them in the boardroom, campaigning for more funds for security, those are CIO kinds of qualities.
But what happens is, we look at CISOs and say, “Well, it’s got to be a hardcore technical job, so I want somebody from the network shop, and they don’t need to have a master’s degree, and they need to have certifications.”
I think the ideal CISO would look very much like a CIO. They need to have leadership, be able to communicate and translate, and understand the business that we’re in. I think they need to have an advanced degree and understand finance. If we get to that point, they could be the next generation of CIOs.
EdTech: Do these dynamics hamper CIOs’ and CISOs’ ability to advocate for IT investments?
Yes, along with the fact that many do not report to senior leaders. Only 4 or 5 percent of CISOs report to the president. A very small percentage serve on the management team. The vast majority report to the CIO.
CIOs have the same problem. Usually, 33 or 34 percent report to the president. With all the advances in technology and calls for it to be strategic, it hasn’t changed. Typically, between 55 and 59 percent of CIOs serve on the management team.
EdTech: When you first studied CISOs, what struck you the most?
The biggest thing is the difference between the CIO opinion and the CISO opinion about which skills matter most. CISOs recognize they need to understand security, but in the top five skills they identify as important, three are soft skills: communication, leadership, interpersonal skills.
CIOs often don’t see that as important for the CISO role, just as administrative leaders may not see those skills as important for CIOs. As CIOs, I think we’re hiring the wrong people. They’re always going to be in the basement, never in the boardroom. If interpersonal or leadership skills aren’t there, security is not going to make it onto the agenda.
Photography by: Jane Shauck
A significant percentage of CIOs say they have little to no funding for security. If you don’t have a CISO who can communicate, you’re never going to get there.
A good percentage of CIOs are also the CISO. Interestingly, when I ask them about security breaches and compromised data, they don’t see any more problems than those who do have a security department. I find that surprising. I think they probably don’t know the problems they have.
EdTech: What’s the organizational impact of these dynamics?
Some presidents and institutions recognize that technology can strategically make a difference and set you apart from your competitors. They find the right CIOs, hire people who are entrepreneurial and make them part of the executive team.
Others look at technology and say, “This is infrastructure. It’s like the physical plant on campus. It’s not important and it can’t make a difference.” In that case, you end up with something that will never be strategic because you get the wrong people, the wrong focus and the wrong support.
Some presidents don’t understand the technology and don’t want to put the time in to understand it. I don’t think it’s their job. I think you’ve got to have a CIO who can communicate with them about the importance. It’s our job to teach them.