Although chief information security officers (CISOs) focus on technology and chief information officers (CIOs) concentrate on the business, their missions are inextricably linked. A CIO with a foot in each world enjoys a unique perspective that can only enhance effectiveness and better serve the enterprise. Rohan Amin, CIO, Consumer & Community Banking, JPMorgan Chase, explains to McKinsey’s James Kaplan how his CISO background prepared him for the CIO role.
This interview is part of a series of interviews on the evolving relationship between the CISO and CIO.
James Kaplan: What was it like making the transition from CISO to business-unit CIO? What was unexpected once you moved into the CIO role?
Rohan Amin: I had the technical background, but the main learning curve was getting much closer to the technology that supports the business—and, of course, the business processes—itself. I’m thankful I get to work with an incredible team, and they have been very supportive of me in my new role. In a CISO role, you can be a step removed, so it’s been a great learning experience for me.
James Kaplan: Where has the learning curve been the fastest? Where has it been the steepest?
Rohan Amin: I began my career as a software engineer and have led large development teams, so that was a more comfortable part of the transition. The greater learning curve has been around the business itself and the business strategy. In my previous CISO role, the primary set of relationships I had were mostly with the technology risk-and-controls community. While I did have a presence at the business table, most day-to-day interaction was with our technology teams. In my current CIO role, I am balancing across two senior teams, so my interaction with different stakeholder communities has increased dramatically.
James Kaplan: How long did it take you to get up to speed on the consumer banking side of the business?
Rohan Amin: I’m still getting up to speed! It is a behemoth of a business, with more than 52 million digitally active consumers. I have never been the CIO of a consumer bank. That I am, I think, is a testament to how the organization thinks about talent development and mobility. Second, I wanted to do something where I was forced to learn a lot of new things and was intellectually stimulated and fully engaged. I got all of that.
James Kaplan: Having been a CISO provides an interesting background for a CIO role. Was there anything about your CISO experience that made you a more effective business-unit CIO?
Rohan Amin: When we think about what matters most to our customers, running a disciplined environment with stability, resiliency, controls, and data privacy are non-negotiables. Being in the CISO role obviously instilled a lot of that in me.
The other aspect that’s helpful in having a CISO background is a deep understanding of non-functional requirements and how to make them easier to adopt. For example, modernizing our applications and striving for platform-centric thinking help to focus our engineers on the most relevant business functions, which are the features and value for customers.
As a CISO, you have a global view of risk and what the issues are and how you think about enterprise management in the application-development context. Some CISOs are policy and governance focused only, while others have a stronger technical and business background. Having a technical background and being able to effectively communicate complex issues to the business have served me well.
James Kaplan: What advice do you have for CISOs who may aspire to someday become CIOs?
Rohan Amin: In the CISO role, you get a deep appreciation for the importance of the control environment and security. You learn that everyone understands the importance of controls but wants control adoption to be more seamless and part of the engineering process.
Security-and-controls teams face a continuous challenge to figure out how to make this stuff simple and easy to use. This requires the engineering work to make it easy to adopt, easy to innovate on the platform, and easy for engineers to do the right thing. People can’t be forced to read thousands of pages of policy to figure out the right thing to do. The right thing to do should be easy and baked into the platforms and enabled via software, so that something as simple as “you should encrypt your data” isn’t something every engineering team has to figure out for itself. Make security the easy answer, not the hard answer.
James Kaplan: Do you think the skill sets of CISOs and CIOs will converge over time?
Rohan Amin: To some degree, yes. If you want to help the builders, you have to know how to build. As a CISO, if you are not close to the modernization agenda—modern architectures, cloud, data, machine learning, and so on—then it’s hard to effectively guide an organization in the right direction. That said, the risk-and-controls discipline is also rapidly evolving, with increasing focus on data governance, privacy, and operational resiliency in a world powered by the cloud and machine learning.
James Kaplan: What advice would you have for a business-unit CIO who’s never been a CISO about establishing an effective relationship with a CISO?
Rohan Amin: Take the time to understand in detail what those teams are seeing. Because when you’re on the outside of that, it’s sometimes difficult to appreciate the full extent of the problem they're trying to solve. It’s unlike other aspects of the technology organization. Understand the challenges those teams face as they try to keep the bank and the firm safe. That’s an eye-opener in terms of thinking through how you build software and the values that you instill in the organization.
James Kaplan: Is there any advice you would give to folks newly entering the security domain?
Rohan Amin: Spend time with the folks in the business who have to use the stuff you’re creating. If your objective is to help the business—which is what it should be—then you need to spend time in the business to understand what it takes to deliver something to a customer. If you spend time only in security land, you really don’t understand the complexities the builders go through to deliver. Knowing what I know now, building simplicity into security-control adoption is where I’d recommend they focus.
James Kaplan: What do you know now that you wish you had known a year or two ago?
Rohan Amin: I have a much greater appreciation for our engineering and development teams and the challenges they face in trying to do the right thing. There are so many things hitting them at once—modernization, cloud, data security, controls, resiliency, regulatory, and, of course, business functionality. I would have had a far greater sense of urgency about what a difficult environment we create for builders if we’re not putting them first and thinking about them as customers. That’s a different mindset, one I would have acted on faster if I’d had the insights into their challenges that I do now.
James Kaplan: How do you advance the skill sets of development teams?
Rohan Amin: Your development teams’ training should be balanced with what you ask those development teams to focus on. You can’t train for everything, and the evolving complexity demands that we make this easier for engineers. For example, typically you run your software through a scanning tool designed to highlight vulnerabilities, and typically, the security tool reports thousands of things you need to fix. But when you go through data sets and reports, there’s simply too much to handle. A good security team will say, “Here are the discrete actions you need to focus on and take,” as opposed to, “Here are 5,000 things that you need to figure out the importance of addressing.”
James Kaplan: How do you address security training for developers?
Rohan Amin: Increasingly, we’re baking those requirements into the software-development life cycle itself, so you don’t deploy software that has issues. That, to me, is the ultimate way to solve this problem. You need the training, but you also have the tool chain and the telemetry. Enforce what you want through a controls-and-security perspective. With cloud applications, these platforms are automatically enforcing the control environment. So if you’re not compliant, your workload won’t get deployed or run in production. That’s a big change in mindset. And to be clear, I’m referring to cloud generically—private or public.
James Kaplan: Authentication is an incredibly important part of the consumer-banking experience. What are your thoughts about managing that?
Rohan Amin: Authentication is often the first experience a consumer has with an organization, so we’re working on the authentication strategy of the future. Previously, authentication was thought about as a channel-specific thing, meaning how do we authenticate you in the branch? How do we authenticate you when you call in? How do we authenticate you online or on mobile?
We’re working to bring these experiences together in a secure and more integrated manner. We’re thinking about ways of putting the customers at the front of the design and about the multichannel ways people interact with us differently than in the past.