Articles

Who actually owns cyber security: CISO vs. CIO

Both CISOs and CIOs commonly operate within the cyber security space. A recent survey indicates that 48% of security teams report to a CISO, while 25% report to the CIO. Although there was no measurable difference in terms of strategies deployed by CISOs vs. CIOs, defining who should take cyber security ownership is becoming increasingly important. 

CISO vs. CIO

The CISO’s primary responsibility is attending to data security and integrity. In contrast, “The CIO is more focused on ensuring that the right tools are used to maximize efficiency as well as [to] identify trends that influence the company and [to] continually find opportunities to use and produce better tech,” says CIO of Lightico, Omri Braun.

Another key difference in expectations around the two roles, as they relate to cyber security, includes the fact that CISO’s do not necessarily have to prove ROI to the same extent as CIOs. A CISO’s cyber security recommendations may be weighted more heavily and attended to more closely than that of a CIO, who may have to present more detailed justifications. 

Further, information security sector CEO, Amanda Finch, points out that CISOs commonly require one attitude towards data, while CIOs adopt a different attitude towards data. Neither are problematic. Each person in each role is simply approaching the issue from a different perspective. 

Separation of roles 

The CISO role and CIO role can look distinctive. However, in some enterprises, the roles are so similar that it’s becoming increasingly difficult to parse apart who should focus on which aspects of security. 

In most organizations, the CIO provides a complementary “check” (as in ‘checks and balances’) within the security process. The CIO collaborates with the CISO on overall security strategy, while the CISO drills down into more precise policies, practices and strategic initiatives. 

CIOs commonly report to higher level management, including the board of directors. As such, CIO roles often encompass budgetary responsibilities, performance management responsibilities, and expectations around project delivery. CIOs are commonly focused on meeting big picture business needs. 

Business opportunities and challenges

Each role offers the opportunity to consider new technologies that can enhance cyber security and that can sharpen the organization’s competitive edge. While a territorial approach can manifest, the frequency and veracity of emerging issues also mean ample opportunities to collaborate and communicate. 

The CISO and the CIO can continually engage one another in strategy development. A running dialogue and discussion between the two helps to ensure that everyone is on the same page. The fluidity of the roles doesn’t have to pose a problem. Rather, it can imply that security will be standardized and consistent across an organization. 

The future of the CISO vs. CIO roles

These two roles will either become more alike or more unique. In one future model, CIOs retain greater oversight of cyber security specialists than at present. In another model, CIOs provide a different set of essential services that are disconnected from cyber security.

Within a handful of organizations, CISOs report to the Chief Risk Officer, the Chief Financial Officer, the General Counsel or others. It is possible that at some point, CISOs will no longer report to CIOs. The two will oversee entirely different domains that require different types of reporting.

For more insights into the CISO role vs. the CIO role, visit the Cyber Talk glossary. To receive expert-curated content, cutting-edge cyber security analysis, and premium cyber security resources each week, sign up for the Cyber Talk newsletter.

Back to top button