CIO vs CISO – Who Does What?
“Every organization handles security differently, based on their needs and internal structure—but in some mid to large sized companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved.
The relationship between the CIO and the CISO is something that is often described as “sometimes adversarial” but “ever-evolving.” This is often due to the fact that CIOs and CISO aren’t always considered true peers; in some organizations, the CISO reports into the CIO’s business unit, causing a potential conflict of interest.
That being said, fostering a strong relationship between these two roles is simply critical in managing security and risk.
CIO VS. CISO: Who Does What?
Traditionally, CIOs have always had an information systems and digital management focus. They are the owners of the IT side of the enterprise and typically support the business with technology solutions. Today, CIOs help companies turn away from legacy solutions and out-dated processes in an effort to modernize technology in their organizations and always consider how to make processes more efficient. More recently, the role has evolved to include more cyber security-related tasks. Security tools are now frequently used in IT operations and embedded in day-to-day IT activities and processes. The CIO may, for example, ensure there is a secure process for Internet-of-Things-enabled applications in an organization—or they may look at how other organizations are handling their cyber security to benchmark their own organization’s performance using a security tool.
The CISO’s role is all about managing information security risk throughout the data lifecycle. This individual needs to know where the critical data is located, what the company’s risk threshold is should the data become compromised, and how to protect this data while supporting the business’ objectives. CISOs are instrumental in defining and implementing a risk management framework to properly govern, evaluate, and respond to risks involving the company’s protected data. They are also heavily involved in vendor risk management (VRM) of the organization’s third and fourth parties—for example, ensuring critical data is only accessible to those who need access to perform required tasks.
CISOs have, at times, held a reputation for being something of a “no” man—frequently rejecting what they consider to be unnecessary business risks—so some organizations simply cut them out of the decision-making process. With the rise of cybercrime and the evolving threat landscape, this scenario should be avoided. Today’s CISO should have a firm grasp on how to report on the risk environment both holistically and within the organization in order to give the board of directors the information it needs to make decisions.
CIO and CISO Working Together
Both the CIO and the CISO are there to protect and manage assets and information, but from two different viewpoints—and that’s a good thing. For example, today, the CIO’s function is to ensure systems and information available and accessible to whomever needs it—and the CISO’s function is to ensure proper controls are in place so that only those who actually need access to information are able, and the information stays where it is supposed to be.
A key part of maintaining a solid CIO-CISO relationship is ensuring that neither party blindsides the other. For instance, if the CIO takes information to a board meeting that seemingly “blasts” the security side of the organization without the CISO’s prior knowledge, that’s a quick way to erode the partnership. The only thing this will accomplish is cementing an “us vs. them” or a “CIO vs. CISO” mentality—which is futile. Be sure lines of communication are open and regularly used throughout this working relationship.”
What Does A CIO Do?
CIOs in large organizations typically delegate the oversight of day-to-day IT operations to a technology deputy and rely on a team of specialists to manage specific areas of IT. The role of the CIO continues to rapidly evolve as organizations become more digital.
The chief information officer at one organization could have an entirely different set of responsibilities from the CIO down the street. A very high-level definition describes CIO as “a job title commonly given to the person in an enterprise responsible for the information technology and computer systems that support enterprise goals.” It is the CIO’s job to innovate, collaborate, balance the IT budget and motivate IT staff.
What Does a CISO Do?
A CISO’s job is to increase shareholder value by protecting the company’s market share, revenue and brand. In order to win management support for security, they need to show how they have prioritized, modeled and priced risk. For each new project, they need to identify, analyze and evaluate the risks, measure the costs of securing the services and present viable options. This information helps decide how to allocate resources and also proves the CISO’s value to the company.
It’s important for CISO’s to prioritize what’s most important to the company and what generates the most revenue, then apply the appropriate security for that piece of the corporate world. They need to be able to develop a strategy for an overall architecture and delegate the technical responsibilities, all while still providing guidance and oversight.
Why both a CIO and CISO?
The CIO and CISO have different goals and are measured on whether or not they accomplish those differing goals. Though they may often be on the same page, they are going to disagree on occasion and tensions will sometimes flare. Should the CIO have the final say when that happens?
If a CISO reports directly to the CIO then they might argue that their advice is only being taken whenever and wherever it doesn’t directly contradict whatever the CIO already wants to do. While their CIOs would likely reply that they deviate from the CISO’s recommendations only when those recommendations would unnecessarily hamper performance and growth.
This suggests that an organization is better off from a security perspective when the CISO does not report directly to the CIO.
This doesn’t mean the CISO can’t be effective when answering to the CIO, just that the natural tension that exists between their roles is less likely to surface when it’s contained within the IT structure. If the CEO and Board aren’t aware when the CIO and CISO disagree, it’s then all on the CIO to determine which path to take between their differing viewpoints.
While their roles are entirely intertwined, it is always a great idea to have two similar minds on board rather than just one.
Need some help selecting CIO roles within your business? Get in touch with us today!
h/t to bitsightech.com for this informative article!