The Amrop Digital Interviews: Aloys Kregting, Head of Global Enabling Services ASML
“You need to have good storytelling capabilities.”
Companies are under more pressure than ever to push fast-paced tech transformation, but with much more attention to information, cyber, and technology security. The tensions between enabling business objectives through technology and maintaining a robust security posture are especially challenging in terms of CISOs reporting to CIOs.
Together with global search search partner JM Search, Amrop has been exploring common areas of C-suite tension through a series of interviews with CIOs and CISOs in Europe and the US. In the final interview of our series, Job Voorhoeve, leader of Amrop’s Global Digital Practice talked to Aloys Kregting, Head of Global Enabling Services at ASML and former CIO at AkzoNobel. They discussed sources of tensions, the importance of storytelling and the ways the CIO can help the CISO when it comes to communicating to the Board and the rest of the organization.
Job Voorhoeve: There often appears to be tension between the priorities of enabling business objectives through technology and maintaining a robust security posture. What have you found to be the specific areas where this tension most clearly manifests itself?
Aloys Kregting: I think you get this tension when the CIO or the CISO are detached from the rest of the organization, from the stakeholders, and start doing too many things in isolation. I use the information pyramid a lot: it shows that IT needs to be aligned with the governance, the organization, the master data, and the business process – the context needs to be made congruent, and then you won’t have this problem. So, to make it concrete: if the CISO is not able to explain how relevant the information security risks are for the business propositions, you will have this friction. But if the business really understands the information risks for their own environment, there won’t be such tension. Generally, the tension is mostly related to the fact that people have an asymmetrical set of information and background. So, if both the CIO’s and the CISO’s communication skills, drive, and capabilities are good enough to come out and show themselves, share the risks and make their story an integral part of the overall picture, then there is no issue. You get the misery you deserve, so to speak (laughs).
Q: Now you mainly refer to the CISO’s area of expertise and responsibility, but it’s also an element when it comes to the CIO post, right?
A: Exactly the same applies in this case. The CIO needs to be able to explain its challenges, for example, that they need to do the maintenance of their ERP landscape or the data center, because nobody will care about it as long as it runs, nobody will otherwise worry about the fact that the CIO has trouble making sure that it runs properly. So, the CIO needs to be able to explain risks. In general, if you’re too introverted and have no storytelling capabilities, you will have a very difficult life these days. But to be able to tell a good, compelling story, it needs to have two components: it must be rationally sound and emotionally engaging. If you have that, you will be able to make things work, and it is true for many functions, but surely it applies to both the CIO and the CISO.
Q: You mentioned the information pyramid and governance, and, from what you’re saying now, it becomes clear that you take a kind of governance approach to the CIO role. So, it’s framed your thinking in the sense that you’re doing something like an internal auditor, and that’s also an asset when it comes to the alignment of the CIO and the CISO, because the CISO is also very much working from a governance perspective.
A: Absolutely. I’ve seen and experienced it in the past – when people don’t follow that logic, it’s very difficult, near impossible to do their job, and they often pursue projects with zero chance of success. And that’s the case in many organizations where the governance is very much dispersed. I’ve experienced it myself in the past, where finance was organized for each business group, and I was tasked with creating a single finance solution. It’s not going to work, and you can easily draw parallels with what’s happening in the government here in the Netherlands. Every ministry has their own CIO, and they share one tax authority which executes all the demands and functionality requirements from at least seven ministries. They have no chance of creating an integrated system, and, of course, everybody complains about the way the tax authority works, which is actually unfair, because they have some quite brilliant people working there – but they’ve allowed that seven different sources steer one single authority. It’s not aligned and there’s no way it can be successful – unless, by accident, all seven ministries give aligned requirements to the tax authorities. What are the chances of that happening?
"If the CISO is not able to explain how relevant the information security risks are for the business, you will have friction. But if the business really understands the information risks for their own environment, there won’t be such tension."
Q: That’s a great example. And what from your perspective are the pros and cons of the CISO reporting to the CIO vs. working as peers?
A: I have a slight preference to CISO reporting to the CIO, but, of course, there are also negative aspects to that. The positive effect of such a reporting line is that your ability to execute on the technical side is much higher. But the complete scope of the CISOs work normally contains three levels: technology, process, and people. These are the lines of defense when it comes to information security. If we look at the level of technology, the best chance for that to function well is when the CISO reports to the CIO – in this scenario they just need to make the decision, as the CIO would never want to be caught in a situation where he’s failed to have basic protection in place. If we look at the process level, which is about, for example, how certain things are done, how people throw away papers etc., both types of reporting structure are fine, there is no difference. If we look at the people level, how reporting structure influences the company culture – I would say in this scenario the CISO reporting to the CIO is a bit disadvantageous, and it’s better if the CISO would be reporting higher up in the ranks. But both scenarios have pros and cons that even one another out. What I think has more influence are the characters of the two individuals. So, if you have an introverted CIO and also an introverted CISO then the reporting structure makes no difference either way, because they won’t be able to influence what happens on the people level. When it comes to the process level, they will both withdraw themselves completely into the technology, and do potentially brilliant things which nobody else will know about. So, I would say that a much more powerful mix is where you have a CISO who is very outgoing and can influence the whole company. And that could be perfectly combined with an introverted CIO, who makes sure that the technology works perfectly. And in such a scenario they would work better as peers.
Q: Right, because then the extroverted CISO will help the CIO to have more influence on the culture level?
A: Yes, that way they will work together better on the process and the people level. I have done lots of the so-called “red team” exercises where you let the security be compromised by ethical hackers. And 100% of the time, without exception, the people level was the weakest link. With social engineering, with pressuring people the ethical hackers always got what they wanted, while the technology usually worked quite well – the intrusion systems were picking up on certain things. So yes, looking back on that I also have to conclude that the most important distinctive factor which could determine how well everything works is to have a CISO who actually knows what they’re talking about and knows also how to influence the organization, including the CIO. And then it actually doesn’t matter whether they’re reporting to the CIO or if they’re working as peers.
Q: Do you perhaps have some suggestions for a successful collaboration?
A: It is definitely crucial to follow a common framework. I’ve often worked with the NIST framework because it perfectly highlights not only the technology side but also the response side, which is a form of process – for example, if it goes wrong, how do you respond to that? Then you can grow in maturity and use the language which everybody can compare to the rest of the market. Plus, the NIST report is something that you can send to, let’s say, the key stakeholders on a monthly basis. If you do that you build tension around this which is necessary because often the senior management has a form of plausible deniability. But when you report out of the NIST framework on a monthly basis, you take them along for the journey, and they have no reason to say that they didn’t know something. Especially if that’s combined with the good storytelling capabilities of the CIO or CISO. Because, again, you have to have a rationally sound story, real content, and you can use the NIST framework for that, but you also need your story to be emotionally engaging. So, you basically need to have impact on both halves of the human brain – then the people will follow. Communication is key – not just because we now work in a global environment, but also because the different components of the risks are really complex. There are so many levels and layers, and parts of the organization and technology where it can go wrong! So, the ability to tell a story in a very simple, engaging way is really an art in itself, and cannot be taken for granted.
Q: Simplicity does work really well, but it’s not in itself simple at all!?
A: Yes, and the challenge is to find CISOs who not only know security well but can also tell a compelling story. It’s a rare species, I would say.
Q: But things are getting better! What advice would you give to your fellow CIOs and CISOs to best manage this relationship?
A: Even if the CISO reports to the CIO, there needs to be a clear demarcation on who does what. So, for example, just like an internal audit director, the CISO needs to have a form of independence to not be overruled by the CIO for budget reasons or others - that would be risky. So, there must be a direct link between the CISO and the CFO, as well as the chairman of the audit committee, for example, so that the independence of the CISO is safeguarded.
Q: What about managing the relationship, the personal side of it - what would you do and what would you expect from the CISO towards you? What has worked well in the past when you're working with the CISOs?
A: I think, just like with every working relationship, you need to understand what makes them tick. How do they want to develop themselves? Just like with every direct report and a colleague, give them respect, give them constructive feedback, help them develop. Working with CISOs in the past I’ve had to spend a lot of time working on the communication, and getting them out of the dark, so to speak, because some of them really prefer to work in isolation, doing the brilliant things nobody knows anything about. So, that requires some work, helping them in that journey.
Q: So, I think, what you're saying is that you could also challenge them and challenge yourself as well in the process, right?
A: Definitely.
Q: My final question is related to the collective communication and messaging towards the Board: what have you found to be best practices for CIOs and CISOs to collectively communicate an unified message about the security program and cyber risks to the Board and ELT?
A: It’s similar – help them by taking the rest of the organization along on the journey, which means different types of communication. For example, one piece of advice I’ve given to CISOs, and which has actually worked quite well, is to use real incidents in their storytelling. As a CIO, I once experienced a situation where we were having a sales meeting and the whole sales team would get new laptops while being off-site. So, one of the IT team members would drive to that site the evening before and would install 26 laptops the next morning, but they got stolen from the boot of his car. And then we can remind everyone that the corporate policy dictates to never leave the laptop unsupervised, or in the boot of your car. Or somebody went to China and their laptop was ripped by the Chinese government when they used the Wi-Fi of a building. Always use real examples, make it very real, rather than talk about vague, generic security risks – make them very specific to your company. Many companies don’t like to do this because there’s this natural tendency to sweep information security incidents under the carpet, pretending they didn’t happen, but I think it’s much better, much more powerful to be more open about them. Of course, we need to respect privacy in that too, but sweeping everything under the carpet – that’s unhealthy.
Q: Thank you, that’s very insightful. Do you have any final remarks?
A: Make sure that the CISOs are not IT security officers, but really information security officers – they need to consider things on paper, on whiteboards, on social media, not just in the ERP systems and the R&D environment. They really need to think about innovation in the broadest sense of security.