Big data initiatives and the growing adoption of generative AI and other data-driven projects are accelerating the need for security leaders and chief data officers (CDOs) to work more collaboratively with each other.
At a high level, both roles involve oversight over how an organization generates, stores, uses, shares, and manages data. But while the CISO’s objective typically is to protect it from compromise and breaches, the CDOs is to enable access to it for a variety — and growing — number of use cases. The different goals are driving a growing tension between the two roles.
Point of Reckoning Close at Hand
“The point of reckoning is coming in the next few years,” says Mike Scott, CISO at data security company Immuta, whose career includes a stint as CISO of fast-food chain Wendy’s. The problems that both the CISO and CDO face are both focused on data governance and management. The point where they diverge is the desired outcomes, Scott says.
“Where CISOs are worried about controlling access,” Scott says, “CDOs are all about enabling access to create revenue streams for the company.”
It’s a point of divergence that is manifest in how the CISO/CSO and CDO have evolved over the years in organizations. For all the talk about the need to align security closer to business needs, the CISO role still remains predominantly technology focused. If anything, it appears to have become even more so in recent years.
A 2023 survey of global CISOs by leadership search firm Heidrick & Struggles showed just 5% of CISOs in the US currently report to the CEO — down from 8% in 2022 and 11% in 2021. That’s lower than in other regions of the world such as Europe and Australia, but not by a whole lot.
The survey also found a slight decrease in the percentage of CISOs reporting to the CIO — from 38% in 2022 to 36% in 2023. Instead, more now report to the CTO, or a senior engineering executive and to the chief operating officer. The data points are “indicative of the shifting left of the role, from compliance into technology,” Heidrick & Struggles concluded in its report.
At the same time, a survey of CDOs at 116 Fortune 100 companies that NewVantage Partners conducted, showed just the opposite trend has played out with their status within the enterprise.
Despite some continuing ambiguity over their exact function, 43.3% of CDOs and chief data analytics officers (CDAOs) now report to the CEO, president, or COO of their organizations, and some 56% report to a business leader rather than a technology function. Just 27% still report to the CIO function.
“This reflects a significant shift in how the role is perceived, and a commitment to ensuring the delivery of business value from the CDO/CDAO role,” the survey report said.
The Growing Importance of Data
A lot of this has to do with how data has become fundamental to business success,” Scott says. There is a huge amount of incentive to invest in data and this has given the CDO function a direct line to top management, he says. So, the CDOs messages tend to get a lot more attention that a CISO or CSOs messages. For that to change, CISOs are going to have to be more involved in what the CDO is doing especially given the exploding interest around big data and generative AI initiatives.
Adrian Estala, field CDO at data analytics firm Starburst and former CDO at Shell shares the same sentiments. Both the CDO and CSO have to understand where all their data assets are. They both need a full view of the architecture. “As a CISO I am looking at the architecture from a risk standpoint,” he says. That means identifying all the risk points, knowing where the organization’s crown jewels are and implementing controls for protecting them. “Where is data flowing, where is it coming from, who is using it — these are all exactly the same concerns that CDOs have,” he says.
The difference is while the security executive tends to be more focused on risk, a CDO is focused on just trying to get data as fast as possible to customers. “A lot of the time, the last question you ask if if that is the most secure way to do it,” Estala says. While business executives tend to perceive as standing shoulder to shoulder with ISOs are more of the cop that arrives when accidents happen. “If you are speeding, the CISO is the police officer that gives you s ticket and the CDO is the paramedic that is trying to help.”
Partnering for Success
There are ways that both sides can help each other fulfill their missions, Estala says. CDOs, for example, can make the CISOs role a lot easier by being more cognizant about data movement. “If I am copying and moving data all over the organization for the business, I am creating additional work for the info sec team,” he says. “They have to create and recreate control for everywhere that data rests. It can become a nightmare for a CISO.”
One way to address this would be for the CDO to try and figure out ways to work with data at the source so it becomes easier for the security team to apply appropriate controls to that use.
Similarly, CISOs and other security leaders can help by understanding the CDO mission better and implementing guiderails and controls that help them use data safely without cramping innovation. These controls and guiderails could include access control and self-service options that make it easier for data teams to enable, control and revoke access to data, he says.
The natural tension that exists between the two groups is a good thing, Estala says. “The CISO absolutely has to provide a bump in the road,” he says. “If there is not a bump, the CDO will run as fast as they want and that is not a good thing either.”
Adam Strange, principal analyst at Omdia, says the CDOs’ role is still relatively new. Most organizations that have a CDO have only appointed them in the last five years, he notes. “The role is still evolving and as such may be seen to compete with roles like the CISO and CIO,” Strange notes.
With data becoming central to any organization’s success these days, role definition is key, he says. “Data has or is emerging as a relatively new area which requires new levels of thought and subsequent action in terms of protection,” he says. “The CISO, CDO, and actually the CIO/CTO and business leaders need to work out who is responsible for which layer of the cybersecurity ‘onion.’ There is a big enough task for all roles to work in collaborative harmony.”