Analyzing The CIO's Roles & Responsibilities Regarding Cybersecurity
Melissa Stevens | November 17, 2016
The chief information officer (CIO) has traditionally owned IT security — and in recent years, cybersecurity has become a larger part of the modern CIO’s responsibility. Cybersecurity is a company-wide issue — and it’s everyone’s responsibility to manage it appropriately — but today, the CIO must act as a steward for the data and ensure that the right controls and processes are in place for data security.
In this article, we’ll walk through the CIO’s roles and responsibilities as they pertain to cybersecurity, and examine several ways the CIO role has more recently evolved.
The CIO's Roles & Responsibilities Regarding Cybersecurity
The CIO must be aware of the regulations that govern their industry or their business. With this information, they must be able to communicate their cybersecurity posture and any risk to the necessary parties both internally and externally.
The CIO must focus on both the training and overall awareness of cybersecurity. For example, the CIO may need to facilitate the cybersecurity awareness of end users or for those managing applications or analytics.
The CIO must ensure that the right controls are in place and the right tools to mitigate cybersecurity risk are in use.
The CIO must be able to appropriately benchmark cybersecurity and leverage frameworks like NIST or ISO 27002/1.
The CIO must enforce and manage cybersecurity controls for vendors and monitor them continuously as the business relationship continues. In the precontractual state with the vendor, the CIO must ensure that the vendors are vetted thoroughly via the necessary methods. This may include audits, questionnaires, on-site visits, penetration tests, or analysis of a vendors' security rating.
There are a few important changes that have happened over the years — and responsibilities that are still evolving — within the role of chief information officer.
The CIO is now often given a seat at the enterprise risk management committee table. And they are many times joined by representatives from other departments — for example, a member each from the audit team, the compliance team, the legal team, the finance team, and others. In fact, the chief information security officer (CISO) typically joins this Board as well, signaling a shift in the criticality of cybersecurity today.
The CIO is more heavily involved in the interoperation of systems across the organization. The Internet of Things (IoT) has played a major role in this, as greater connectivity allows for a wider digital ecosystem. For example, companies are connecting machines to machines and applications to analytics. The CIO needs to ensure that these processes are secure through and through.
Depending on the industry, the CIO may not have as large of a stake in cybersecurity as another business function. For example, in heavily regulated industries, there’s a paradigm of who owns information security and cybersecurity. In certain cases, it may be that someone outside of IT (say, in compliance) may have a more heavily weighted role than the CIO. The CIO is still involved — but perhaps not to to the degree that he would be otherwise.
Because the role of today’s CIO has evolved so much, it’s critical to automate as many processes as possible. BitSight Security Ratings give you the ability to examine third party vendors or potential mergers before you sign a contract and during the length of the contract. CIOs today know that cybersecurity must be considered on a constant basis — and BitSight facilitates this process.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...