The Amrop Digital Interviews: Feliks Voskoboynik, CISO A.S. Watson Group
“Align, educate and simplify!”
As companies have gone through large-scale digital transformations, they are now under more pressure than ever to not only move at a faster pace, but also with much more attention to information, cyber, and technology security. The tension between the priorities of enabling business objectives through technology, and maintaining a robust security posture, is especially challenging in terms of CISOs reporting to CIOs.
Together with our US partner JM Search, Amrop has been exploring common areas of C-suite tension through a series of interviews with CIOs and CISOs, to gain their perspectives on how to manage these challenges. In the second interview of the series, Job Voorhoeve, leader of Amrop’s Digital Practice, interviewed Feliks Voskoboynik, CISO at A.S. Watson Group, the world's largest international health & beauty retailer and leader in O+O Retail.
They discussed potential conflicts of interest between the CIO and CISO, the CISO’s educational role and the responsibility of “getting a place at the table” when it comes to communicating their message to the Board.
Q: There often appears to be tension between the priorities of enabling business objectives through technology and maintaining a robust security posture. What have you found to be the specific areas where this tension most clearly manifests itself?
A: If you look at the retail space, at the moment it’s growing quite fast, and you need to be on top of things as an organization. It is a very competitive business, and what we feel and face when it comes to the constraints which exist between IT departments, marketing departments and security, from a security perspective, it’s really challenging to keep up with the business needs moving at such a fast pace. So, they move fast, they want to roll out new projects, there are different innovations, especially when it comes to ways of simplifying things, and all that comes with complications from the security perspective. They’re working with many different vendors, and that also makes things complicated – there’s a large supply chain with many parties involved, so the scale becomes immense. And then the question from a security perspective is: how do we get a hold and on top of all this? That starts the debate in which there can be tension, and it has to do with the speed…
Q: Would the security prefer things to go slower?
A: No, not so much slower, but security wants it to be done right. And sometimes going fast and having it done right doesn’t align. Driving the car really fast is not always the best idea, because you need to see the picture ahead, assess the risk. And in our organization and from the management’s perspective, the idea of “faster, faster, faster” is pretty much what’s imprinted on everybody’s minds today. Because if you’re not the one going “faster, faster, faster”, somebody else will be. And if you look at a lot of these organizations, you notice that many don’t actually have a CISO organization in place, and it tends to be that the IT person is responsible for the security (I met someone who is both HR and IT, holding some responsibility for the organization’s security). So, at the end of the day, the scope of cybersecurity in retail is not that large yet. And, the way I see it, it’s because a lot of times the management of these businesses think that if they’ll add more layers of complexity to the organization, it will be much harder to move on the “faster, faster, faster” route, and somebody else will be faster and get there first.
Q: But what about the risks, haven’t there been that many breaches in retail?
A: There have been big breaches in retail, so I do believe that retail is a risky area. But it’s a low-margin industry, and investing in security is costly, so I believe that sometimes businesses would rather take losses, because retail will always come back up – people need to go to the stores and buy products. So, they tend to accept the risks, and sometimes they’ll have a breach or lose some data. They’ll then pay whatever they need to pay. And a lot of retailers pay ransom.
Q: What from your perspective are the pros and cons of the CISO reporting to the CIO vs. working as peers?
A: If there’s to be a proper CISO organization and good cybersecurity then the CISO needs to have that enforcement factor, the upper hand, so he needs to have a direct link to the management and the ability to make these decisions. And, I believe, when you have the CIO in the middle, there can be a conflict of interests, because they’re responsible for the budget. And, in their view, the budget needs to be allocated properly to the IT space, to innovate – large projects. And, of course, security will also have considerable budgetary needs, but, if the CISO reports to CIO, they cannot go directly to the CEO, which would also cause a conflict. So, the reporting structure needs to be clear, but in such a case the security might not get the budget it needs. And, I think, when it comes to risk aversion, cybersecurity has a big risk management perspective, and the CIO department will want to work faster, while the security, from their perspective, will be what’s causing that slight delay, and this too can be a source for conflict. So, when it comes to budget and risk, these are the main hurdles that the CISO needs to overcome when working closely with the CIO.
Q: Are there any pros, in your view, when CISO reports to CIO?
A: There are, of course, pros too, and I think the main one is that as CISO you’re closely connected to the IT department, working in that environment, because, if you look at some other areas, say, data privacy, today that tends to be run by legal – and reporting into legal would be something I see as disadvantageous. They’re not really connected to the business; they don’t understand how IT works and the issues it’s faced with. Without having full awareness of the larger picture, they would deal with the different regulations, controls, and measures. But when the security department is reporting into the IT department and working closely with the CIO, they understand the business, they understand the project, and that way they will have a closer visibility of the strategy. Which is why it’s really worth looking at the pros and cons of this: because sometimes it could be that you’re the CISO, reporting directly to the CEO, having a large budget, but at the same time you might be investing in things which are not aligned with the strategy, the bigger picture. And, at the end of the day, the bigger picture sits with the CIO, s/he’s responsible for the IT strategy, and the security needs to be part of that. When you’re fully independent, you’re going to have a visibility problem.
Q: What do you see as best practices, from your perspective? How to manage these tensions? For example, do you think that company culture or the personalities of the CIO and CISO can be an important factor?
A: I think it’s about finding that common divide. Of course, the CIO won’t be an expert in cybersecurity, s/he’s going to be missing that education, so it’s crucial to provide it. Because that way the CIO will better understand the risks and opportunities in the security area and be able to take responsibility for it. It’s also about finding a way to make cybersecurity engaging and simple. I have seen that many tend to complicate things and make it worse than it could actually be. But if you find a way to align with the CIO, to make it more simple, streamlined, and educational for them and for others in the team, if you form the right relationships with your stakeholders, I think that can really simplify things and make them better. And you don’t put fire out with water, right? There’s a way, a tactical approach for doing things.
Q: Can you give an example?
A: Yes, it’s about not making it more complicated than needed. For example, the CIO department needs to roll out an application for the HR system. The old-school CISO would probably come in with hundreds of controls and insist that we need to do all these things, which will probably take them ages to implement, and it will slow down the project. In this case the CIO will probably say: hold on, we need to think about this, it will cost us a lot of money and a lot of time; we don’t have time for this! So, instead of doing that, you as a CISO need to look and see what the key risks are in this application, what could happen? So, you’ve got a couple of things. There’s the employee data, you want the application not to be ransomed, for example. So, you think about the highest risk controls – you need to control the server that the application is sitting on, just be a bit tactical to protect the data. And you find ways to minimize the work necessary, because a lot of the aforementioned activities can be easily automated. So, you cover up the key risks, and then, overtime, you might want to look at the bigger picture, but don’t make it too big, don’t over-amplify it right away, just control the key risks without slowing down the operation, and let the CIO work fast. So, that’s the divide, you can’t have everything, but this way you make things work.
Q: Great. And what other advice would you give to fellow CIOs and CISOs to best manage their relationship?
A: Managing this relationship is very much about understanding each other’s priorities, and the three processes, which I mentioned earlier - aligning, educating, and simplifying, are also playing an important role in this relationship. Aligning is much about understanding each other’s strategic direction, as in: what’s my approach? What’s your approach? What’s your plan? It’s important to work in the same environment, the IT department, and when it comes to educating, I think the relationship will improve a lot if and when people understand what you need from them. Because you can go around screaming all day about needing cybersecurity, but if the CIO, your main stakeholder, which is technically your boss, has no idea what you’re trying to do – good luck with that! And the streamlining, when it comes to the relationship, it’s about finding ways to make it simple, finding ways to meet both my and their objective in a way that we can get our jobs done, to control the risk as much as possible, and to allow the business to operate at the same time. And the relationship will develop from there because it’s the confidence factor. Most CIOs need to feel confident that you as CISO are going to help them. But you also need to keep the company secure. And it’s ultimately the CIO’s responsibility because of the reporting line, so s/he needs to ensure that you are a part of her/his team, while you also need to do your job. But do it in a way where everyone’s aligned with how you do it.
When it comes to risk aversion, cybersecurity has a big risk management perspective, and the CIO department will want to work faster, while the security, from their perspective, will be what’s causing that slight delay
Q: How can you best ensure that Management and ELTs are informed on enterprise cybersecurity programs and risks?
A: The CIO is very likely not going to be an expert in cybersecurity, so, if s/he has trust in the CISO, if s/he understands what you’re trying to achieve and if you both have a good working relationship, the CIO will put you in front of the Management. That’s how it is in my case: I report to the CIO, but I’m interacting directly with the Management. But then, once you’re there, the important aspect is that you need to be able to sell, and align, and keep everybody informed in the right way. Because if the CIO would see that you’re somehow in conflict, that you’re reporting about how bad the IT organization is in general, that you’re making her/him look bad, s/he’s quickly going to pull you down. So, as CISO you need to develop a way to keep the Management aligned, interested, and engaged. And yes, you’re reporting to the CIO because that’s the structure, but they need to also see you as the leader, as someone with the know-how, who will provide them with the right information. As an example, we have something called “The Heat Map”. In “The Heat Map” I’m able to show, across every business unit, where we are from a cybersecurity perspective, what’s our risk: are we red, yellow, or green? They don’t need to know all the details, just the colors. So, if the CIO sees that the Management likes the idea of what they’re presented with, they align and listen; then the confidence factor is there. But you need to build that gradually: no organization will give you that from day one. And this is also the CIO’s way of ensuring that you make her/him look good by being able to present credible information to the Management.
Q: I think that's a great example. What about when it comes to governance frameworks, industry standards, and requirements? There are a lot of European and US regulations coming. How are you dealing with that?
A: I think, in retail we experience it a lot less, since we’re not exactly critical infrastructure. Though, in case of some of our businesses, like pharmacies for example, we had to stay open during the COVID-19 pandemic. But, while there’s, for example, PCI compliance, which is very much focused on protecting customers’ information, as well as others, we really deal with it as part of our day-to-day operation. In the cybersecurity space there’s not so much focus on the regulations, but if your cybersecurity organization is in order and you’re able to show compliance, it’s going to be pretty much business as usual.
Q: But you're of course looking at AI, and you're probably already using that type of technology. And I can imagine that with profiling bias in the systems, you will run into regulations, which are coming from the EU.
A: Yes, this is going to be key for the retail industry, because there are still a lot of questions about what levels AI will reach, how dependent retail will be on it and how customers will perceive it – how much interest will come from customers in this field. But it can also be another potential area of tension between the CIO and the CISO, because if the CIO will see this as an opportunity to run at 100 miles per hour, then the CISO needs to find a way to be there and support them and know how to deal with that. But I think that the level that AI will be used still needs to be determined. There’s a lot of AI in the military space and in cybersecurity – it’s been around for many years, and we use a lot of AI too to protect our systems and so on, but it still needs to be determined how the customers will require it and how retail space will use it, as well as how that’s regulated and controlled. It’s surely going to be part of the normal way we approach things, our way of working.
Q: Is there anything more you’d like to add?
A: For me it’s all very much built on relationships, simplification, and clear alignment. The CIO won't be an expert in cybersecurity, but s/he needs to know in a simplified way, what you are going to do, how you are going to do it, and, in the end, how you are going to help her/him to deliver what needs to be delivered.
A very special thank you to Feliks Voskoboynik for his insights and thoughts!
For more perspectives from former CISO’s and CIO’s, read the full study on CIO & CISO: Managing Tensions and Working Together.
To find out more please contact Job Voorhoeve or the Amrop Digital Practice members in your country!