How CISOs and CIOs should share cybersecurity ownership
In most organizations, it is common for both the CISO and CIO to have responsibilities around cybersecurity—an issue increasingly pivotal to the effective running of any modern business. Clear, defined cybersecurity ownership can prove integral to successful organizational security positioning.
A recent ISACA survey of almost 3,700 global cybersecurity professionals found that while almost half (48%) of cybersecurity teams report directly into a CISO, one in four reports to the CIO. Despite the variation in reporting relationships, the survey revealed no significant differences regarding security function ownership between the CISO or CIO relating to views on increased or decreased cyberattacks, the ability to detect and respond to cyberthreats, and cybercrime reporting.
The report did, however, find variations relative to executive valuation of cyber risk assessments, how boards of directors prioritize cybersecurity, and strategic alignment. What’s more, the report also pointed to an increasing industry practice whereby the CISO reports to anyone other than the CIO, especially when the CISO’s scope includes governance, risk, and compliance, business continuity/disaster recovery, fraud, trust, and safety or crisis management.
Responsibility over cybersecurity matters can vary among CIOs and CISOs for reasons including an organization’s size, sector, and regulatory requirements. Nonetheless, the issue of who wears what type of cybersecurity ownership hat and why is increasingly critical as cybersecurity becomes more entwined with wider business elements.
Cybersecurity responsibility: CISOs vs. CIOs
Omri Braun, CIO at Lightico, sums up the distinction between the cybersecurity responsibilities of most CIOs and CISOs this way: “The CIO is more focused on ensuring that the right tools are used to maximize efficiency as well as identify trends that influence the company and continually find opportunities to use and produce better tech. The CISO is charged with ensuring that data security, integrity, and the like are being secured proactively.”
Richard Jones, global CISO at Orange Cyberdefense, agrees. “Typically, the role of a CISO is to look at security from an operational perspective, protecting the enterprise from cyber threats. A CIO, on the other hand, focuses more on building security by design into a business’s broader tech stack and ongoing digital transformation projects to drive resilience, boost user experience, and maximize efficiency.”
Cybersecurity architect Tee Patel goes as far to say that CIOs are often pushed to “walk the party line” in terms of security ROI, while CISOs are typically required to be far more independent, focused on protecting the organization itself. “Making the organization money and hitting targets (CIO) versus keeping it safe (CISO) are notable differences between the modern CIO and CISO positions,” he tells CSO.
These distinctions can be subtle. Amanda Finch, CEO of the Chartered Institute of Information Security says the difference in responsibility is best summed up by each role’s attitude to data. And Ian Glover, president of information security accreditation and certification body CREST, tells CSO it is increasingly difficult to completely separate the roles of CISO and CIO from a security perspective. In most organizations, they are too closely aligned and interconnected.
The CISO's cybersecurity responsibilities
Zoom CISO Jason Lee says his primary focus is protecting critical information, including customer data, employee data, and source code. “In security, it’s important to consider the bigger picture. This includes looking at third parties related to the business and assessing how best to manage any risks. I’m also responsible for arming employees as much as possible to ensure they’re prepared for and protected against security threats.”
For Joanna Burkey, CISO at HP Inc., navigating the hybrid working era to protect the enterprise is integral to current security efforts. “In the remote, work-from-home model of the last 18 or so months, it has been tempting for cybersecurity to add more restrictions on employees, as work is often conducted without the protection of traditional on-premises infrastructure.” However, these security policies and restrictions have been designed for times when remote working was the exception, not the norm, and need to be viewed through a new lens, she says. “CISOs now need to think about how other approaches to mitigate risk could still protect the enterprise but also acknowledge that real life, especially in the wake of a global pandemic, doesn’t always adhere nicely to following policy.”
Jones adds that managing an overload caused by the combination of the dynamic cyberthreat landscape and the rising tide of digital transformation is another integral element of the modern CISO’s role. “Cybersecurity now needs to be embedded into every aspect of a business’s operations and be front of mind for everyone from the CEO to entry-level graduates.” As such, CISOs must inject security into all aspects of a company’s digital environment from the ground up, he says, ensuring it is baked in from the start of digital projects to ultimately reduce the alert volume security teams face and allow them to better use their skills and resources.
The CIO's cybersecurity responsibilities
While the CISO is responsible for various elements of cybersecurity day-to-day and forward planning, in most organizations, the buck often stops with the CIO, who reports to the CEO and the board of directors, Finch says. “As a result, the CIO cannot hand responsibility to the CISO entirely. Instead, they need to retain awareness of security strategy and ensure that it isn’t putting the organization’s overall strategy in danger—or vice versa.”
Brad Pollard, CIO at Tenable, says today's CIOs have a range of security accountabilities founded in availability, performance, budget, and the timely delivery of projects. “CIOs enable and support every business unit within an organization. In doing so, they inherit the information security requirements for each business unit.”
For example, the CISO may well be charged with defining security parameters such as service level agreements for vulnerability remediation or access controls, but it falls to the CIO to deliver on these requirements for all business units, spanning all the company’s technologies, Pollard says. “The key cybersecurity challenge facing modern CIOs is meeting the business needs, specifically staying on budget and staying on schedule, while maintaining a secured environment.”
Jots Sehmbi, CIO at the University of Essex, tells CSO that the role of the CIO is becoming about much more than just running traditional operations. It is increasingly encompassing the implementation of new technologies to provide organizations with digital capabilities. “Some of these technologies can be novel to an organization (e.g., RPA, AI, IoT) and present potential risks, such as how data is architected. The CIO, therefore, has a responsibility to have a firm understanding of the cybersecurity trends of any new technologies.”
Conflict and collaboration
Braun says that, given the realities of an imperfect world, the different cybersecurity responsibilities and goals of CISOs and CIOs can lead to conflict. However, he emphasizes the need for cohesion to ensure that “forward thinking tech is being used that is insured by a layer of security and security practices that don’t endanger the company, its data, or its customers’ data.”
CIOs and CISOs cannot think of themselves in isolation and must understand that while they might have different objectives, they are walking the same path, says Jones. “Collaboration and communication between these two roles are key within the modern enterprise. CISOs and CIOs must collaborate to harness technologies and approaches such as SD-WAN, SASE, and zero trust that enable these new ways of working securely, efficiently, and without inhibiting usability.” CISOs and CIOs working in cohesion must also be aware of, and operate within, the constraints of the other, he adds.
Glover cites regulatory matters that come into play here, highlighting an emerging issue in the international regulated community where regulators are now recognizing a responsibility to understand the level of cybersecurity assurance provided by their regulated entities. “There needs to be stronger collaboration between CIOs and CISOs in the same regulated industries. The regulators will do what they believe is the right thing, but often look at the issue from a local perspective. This type of active influence is very different from the historic roles of the CIO and CISO, but, if conducted carefully and sympathetically, will reduce costs to the business, allow more resource to be concentrated on controls rather than reporting, and will raise the position of the CIO and CISO within the organization by demonstrating a real understanding of business and the need to decrease costs and increase efficiency.”
The developing role of cybersecurity within business operations is shifting the cohesive dynamic between the CIO and CISO, Lee adds, something he has experienced himself at Zoom. “We both have to prioritize cybersecurity and combat the increasing threats posed. Security has to be at the forefront of our minds when any decision is made. Remaining involved in each other’s strategies and key initiatives is critical. We engage each other constantly in our strategies even if we don’t think the other is needed to be sure that we remain on the same page and have that strong alignment. This means our roles are much more linked than they used to be, making collaboration even more important.”
The future of cybersecurity ownership
Looking ahead, experts predict notable evolutions in cybersecurity responsibilities for CISOs and CIOs. “We’ll see CIOs and CISOs working hard to make security a trusted source with consistency of standards, behavior, and execution—just like professions such as law, medicine, and accounting—with equally serious responsibilities,” says Finch.
Marc Lueck, CISO at Zscaler, thinks CIOs will have an interesting cybersecurity journey in the years to come. “Either the role and individual will become adept at balancing two very different essential services with very different cost and benefit models, or the CIO will become responsible for the IT delivery of security, governed and possibly enforced by a CISO who no longer reports to them. Both models will exist, and both will be successful where the right people are in those roles.” He notes that a cybersecurity failure for a CIO is “currently not memorable,” but cybersecurity will become just as important for CIOs as efficiency and cost-cutting skills.
Pollard adds that, much like how contemporary business units have taken up some traditional IT responsibilities via SaaS platforms, CIOs will be more responsible for finding security specialists within business units. “These specialists will not only need to know how to secure the specific technologies used but will need situational awareness of the threats that are of the greatest risk to that specific business unit,” he adds.
Glover predicts the joint responsibilities of the CIO and CISO will change in the areas of third-party connectivity and mergers and acquisitions, with both being required to work together to establish meaningful processes that add to security and assurance. “They will work together to ensure that they are part of major initiatives within the business and have the strength and authority between them to make sensible, considered statements about third-party connections and acquisitions and mergers.”