The CISO as Enterprise Integrator

The whole is greater than the sum of its parts.”  ~Aristotle

Even in the 4th Century BC, it was understood that functions within an organization working  together for a common goal produced better results than working independently. Somewhere between Aristotle and the modern MBA program this lesson seems to have been lost as functional excellence became a key criteria for bonuses and promotions. As a result of the recent movement towards digital transformation and organizational agility, the importance of enterprise integration is only now being rediscovered. Yet most organizations are hardwired for functional thinking, with budgets and recognition systems as heavy influencers of silo behavior.

Take the example of the Three Mile Island Nuclear Accident, where strong silo behavior and a focus on functional excellence led to poor information flow between departments that needed to work together. The result? Lack of communications, internal competition and poor trust compounded a technical fault into a major accident. In their excellent book, Meltdown: Why Our Systems Fail and What We Can Do About It, Chris Clearfield and Andras Tilcsik clearly point out how in complex systems small mistakes and communication blockages can lead to catastrophic results.

Today’s businesses and organizations are becoming increasingly complex.  And the rush towards integrating digital technologies into every aspect of the organization dramatically increases that complexity. Supply chains have become massively complex and often harbour significant business risks. And in many cases these critical supply chain risks are invisible to management. And manufacturing is no longer isolated from marketing and sales, since the customer experience is becoming a significant competitive advantage in many industries.  

We are working in ever increasingly complex organizations and it seems that the only person who cuts across the silos and looks after the “big picture” is the CEO. But with the increasing external demands on the time of the CEO, efforts at enterprise integration and getting multiple functions to work together for a common enterprise objective often take a back seat.

Organizational silos are a significant business risk!

An Important Role for the CSIO

The growing tsunami of attacks from cyber criminals and nation-state bad actors is seen as one of the top business risks by business leaders. A single breach could wipe billions off market value, cost millions in loss of downtime and system recovery, plus significantly damage both customer and employee trust in the company.

While cyber security lies squarely in the job description of the cyber security department, seeing cyber security as a functional responsibility is both naive and extremely risky. With 80% of cyber breaches the result of employee mistakes and behaviour, cyber safety becomes an enterprise issue, not a functional issue. And all employees, from the C-suite to the night cleaning crew, and from the Call Center to the outsourced staff are important links to cyber security.

At a recent workshop on cyber security culture and risk mapping for a large European based global bank, it quickly became apparent that cyber safety was an enterprise issue. The culture and risk mapping exercise revealed several key departments that have a significant impact on overall cyber safety, but had few significant interactions with the Cyber Security department. These were Physical Security, Information Technology, and Human Resources. Each have their own functional objectives, budgets and challenges, yet in many ways all have a direct and significant impact on cyber security inside the organization. And the C-suite also stood out as critical to overall cyber security; not just for their contribution to “tone at the top”, but for the significant number of cyber security exceptions generated by this group.

Silo focus and lack of overall alignment on key enterprise objectives often lead to sub-optimization, and hidden business risks.

No alt text provided for this image

In our experience, the CISO is in the perfect position to be the catalyst for organizational alignment since cyber security risks reside in every function and every individual employee action. The CISO is one of the few in an organization that has an enterprise-wide perspective on security risks and could effectively act as the enterprise integrator, helping to mitigate current and potential cyber risks to the organization. A breach may happen in one area or from one action, but its impact is enterprise wide and effects everyone. While market risk or operational risk are impacted by one or two functions, cyber security risk is inherent in every function and every employee.

Currently the role and responsibilities of the CISO is not well defined, and there is much discussion as to where the CISO should report and the breadth of their remit. Those companies that fully understand the enterprise and business risks of a cyber breach tend to have the CISO sitting on the senior leadership team. But in most cases, the cyber security function is still seen as a secondary technology cost center reporting to the CIO or in some cases the Chief Risk Officer, CFO COO or even the Legal Counsel. According to a study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO. And the Global State of Information Security Survey 2018 estimated the financial losses as a result of reporting relationship of the Chief Security Officer.

No alt text provided for this image

We believe that seeing cyber security as a business issue and not a technology issue is key to putting in the proper organizational structure and reporting relationships to allow the CISO to act as an enterprise integrator.

It is impossible to determine when or where many business risks come from, but cyber attacks are continuous, growing and a serious business risk.

John R Childress. Chairman, CulturSys, Inc.

About johnrchildress

John Childress is a pioneer in the field of strategy execution, culture change, executive leadership and organization effectiveness, author of several books and numerous articles on leadership, an effective public speaker and workshop facilitator for Boards and senior executive teams. In 1978 John co-founded The Senn-Delaney Leadership Consulting Group, the first international consulting firm to focus exclusively on culture change, leadership development and senior team alignment. Between 1978 and 2000 he served as its President and CEO and guided the international expansion of the company. His work with senior leadership teams has included companies in crisis (GPU Nuclear – owner of the Three Mile Island Nuclear Plants following the accident), deregulated industries (natural gas pipelines, telecommunications and the breakup of The Bell Telephone Companies), mergers and acquisitions and classic business turnaround scenarios with global organizations from the Fortune 500 and FTSE 250 ranks. He has designed and conducted consulting engagements in the US, UK, Europe, Middle East, Africa, China and Asia. Currently John is an independent advisor to CEO’s, Boards, management teams and organisations on strategy execution, corporate culture, leadership team effectiveness, business performance and executive development. John was born in the Cascade Mountains of Oregon and eventually moved to Carmel Highlands, California during most of his business career. John is a Phi Beta Kappa scholar with a BA degree (Magna cum Laude) from the University of California, a Masters Degree from Harvard University and was a PhD candidate at the University of Hawaii before deciding on a career as a business entrepreneur in the mid-70s. In 1968-69 he attended the American University of Beirut and it was there that his interest in cultures, leadership and group dynamics began to take shape. John Childress resides in London and the south of France with his family and is an avid flyfisherman, with recent trips to Alaska, the Amazon River, Tierra del Fuego, and Kamchatka in the far east of Russia. He is a trustee for Young Virtuosi, a foundation to support talented young musicians. You can reach John at or
This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to The CISO as Enterprise Integrator

  1. Pingback: The CISO as Enterprise Integrator — John R Childress . . . Rethinking – The Cognitive CISO

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s