Interview with CISO at MD Anderson Cancer Center: Building an Effective CIO-CISO Relationship

In preparation for the SINC TOLA IT & Security Leaders Forum taking place on February 24 – 26 at The St. Anthony Hotel in San Antonio, TX, we caught up with Less Stoltenberg, Chief Information Security Officer at MD Anderson Cancer Center and speaker at the event to discuss building an effective CIO-CISO relationship.

At the SINC TOLA IT Leaders Forum you will be participating in a session around building an effective CIO/CISO relationship. As a CISO yourself, can you begin by giving us your opinion on why the relationship between IT and Security continues to be an obstacle for many organizations?

The goals of the two individuals are different. The CISO wants to keep things secure while the CIO wants to make sure systems are up and data is flowing. By adding layers of security, the CIO’s goals can be impacted. If there is an adversarial relationship between the two individuals, neither individuals goals will be optimized and sub-par solutions will be deployed.

Are there effective strategies you recommend to help build a bridge of trust across the two departments?

Build the relationship and physical location matters. At MD Anderson, the CIO, CTO and CISO all have offices next to each other. This does two things; first there is a natural building of trust when you interact with each other on a daily basis. Second, it signals to the rest of the organization that all of these functions are important.

In your opinion, what is the ideal organization reporting structure to ensure the voice of both IT and Security are heard and respected in the boardroom?

I am a firm believer that the CISO should not report to the CIO, there is just too much conflict if one person has the right to trump the other especially as it relates to budget decisions. The ideal situation is the two positions are peers and report very high in the organization. 

What fundamental shifts in structure and mindset to you foresee in the future?

I anticipate reporting structure of the CISO will continue to shift outside of the IT organization. The first reason is because of the perceived conflict of interest, the second is because Information Security is becoming more of an enterprise risk and has non-IT elements like insider threat.

Following your session at the Forum, what do you ultimately want the audience of IT and Security to take away and implement if they have not already done so?

I would like the audience to understand the pros and cons of the different reporting structures and to consider building a strong relationship between the CIO and CISO, especially if there is currently an adversarial relationship.

Less Stoltenberg will be speaking at the forthcoming SINC TOLA IT & Security Leaders Forum taking place on February 24 – 26 at The St. Anthony Hotel in San Antonio, TX. For information on the event and details on how to participate go to https://sincusa.com/events/tolacio2019/