Vendor Risk Management

CIO Vs. CISO: Who Does What?

Melissa Stevens | June 6, 2017

Every organization handles security differently, based on their needs and internal structure — but in some midsized and large companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved.

The relationship between the CIO and the CISO is something that is often described as “sometimes adversarial” but “ever-evolving.” This is often due to the fact that CIOs and CISO aren't always considered true peers; in some organizations, the CISO reports into the CIO's business unit, causing a potential conflict of interest.

That being said, fostering a strong relationship between these two C-level roles is simply critical in managing security and risk.

Below, we’ll walk through some of the unique roles both the CIO and the CISO are known to take on and how these two individuals (and their departments) should work together to accomplish common goals.

CIO Vs. CISO: Who Does What?

CIO security agenda

The CIO Role

Traditionally, CIOs have always had an information systems and digital management focus. They are the owners of the IT side of the enterprise and typically support the business with technology solutions. Today, CIOs help companies turn away from legacy solutions and outdated processes in an effort to modernize technology in their organizations and always consider how to make processes more efficient. More recently, the role has evolved to include more cybersecurity-related tasks. Security tools are now frequently used in IT operations and embedded in day-to-day IT activities and processes. The CIO may, for example, ensure there is a secure process for Internet-of-Things-enabled applications in an organization — or they may look at how other organizations are handling their cybersecurity to benchmark their own organization’s performance using a security tool.

The CISO Role

The CISO’s role is all about managing information security risk throughout the data lifecycle. This individual needs to know where the critical data is located, what the company’s risk threshold is should the data become compromised, and how to protect this data while supporting the business’ objectives. CISOs are instrumental in defining and implementing a risk management framework to properly govern, evaluate, and respond to risks involving the company’s protected data. They are also heavily involved in vendor risk management (VRM) of the organization’s third and fourth parties — for example, ensuring critical data is only accessible to those who need access to perform required tasks.

CISOs have, at times, held a reputation for being something of a “no” man — frequently rejecting what they consider to be unnecessary business risks — so some organizations simply cut them out of the decision-making process. With the rise of cybercrime and the evolving threat landscape, this scenario should be avoided. Today’s CISO should have a firm grasp on how to report on the risk environment both holistically and within the organization in order to give the Board of Directors the information it needs to make decisions.

The CIO & CISO Relationship

Both the CIO and the CISO are there to protect and manage assets and information, but from two different viewpoints — and that’s a good thing. For example, today, the CIO’s function is to ensure systems and information available and accessible to whomever needs it—and the CISO’s function is to ensure proper controls are in place so that only those who actually need access to information are able, and the information stays where it is supposed to be.

A key part of maintaining a solid CIO-CISO relationship is ensuring that neither party blindsides the other. For instance, if the CIO takes information to a board meeting that seemingly “blasts” the security side of the organization without the CISO’s prior knowledge, that’s a quick way to erode the partnership. The only thing this will accomplish is cementing an “us vs. them” or a “CIO vs. CISO” mentality — which is futile. Be sure lines of communication are open and regularly used throughout this working relationship.

In Conclusion

Security cannot exist in a vacuum — thus, a company with a solid risk and security plan cannot rest entirely on the CIO or the CISO’s shoulders. Both sides should focus on understanding the other’s perspectives and priorities and in order to help the business accomplish its goals in terms of organizational security. If this happens, everyone wins.

Special thanks to Celia Baker, president of the IntelliGRACS Group Inc., for her insights into this topic.

cybersecurity benchmarking & security performance management

Suggested Posts

Do You Have The Right Vendor Management Policies?

If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...


3 Ways To Make Your Vendor Lifecycle More Efficient

During this dynamic and stressful workplace environment 2020 has brought us, finding the most efficient ways to perform in your job has never been more important. When it comes to managing your vendor lifecycle, there are three ways you...


How To Mature Your Vendor Risk Management Program

There are layers of uncertainty plaguing security professionals when it comes to the time, money, and energy they spend focusing on their third-party risk management systems. Without the proper tools and analysis, it is hard to know if...


Subscribe to get security news and updates in your inbox.