CIO Vs. CISO: Who Does What?

CIO Vs. CISO: Who Does What?

Every organization handles security differently, based on their needs and internal structure—but in some mid-sized and large companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved.

This can set up a CIO vs. CISO standoff. Indeed, historically, the relationship between the CIO and CISO has been described as adversarial but ever-evolving. While organizations today don’t question the value of a CISO, there is also debate about who the CISO should report to: the CIO, CEO, or even CFO?

Reporting directly to the CIO could lead to the CISO being cut off from the rest of the organization and struggling to get buy-in for security initiatives. Likewise, the CIO may not have the security expertise that the CISO does, setting up potential tension that gets in the way of an effective information security strategy.

That being said, fostering a strong relationship between these two C-level roles is critical in managing security and risk.

Below, we’ll walk through some of the unique roles both the CIO and the CISO are known to take on and how these two individuals (and their departments) should work together to accomplish common goals.

CIO Vs. CISO: Who Does What?

The Role of the CIO

Traditionally, CIOs have focused on information systems and digital management. They are the owners of the IT side of the enterprise and typically support the business with technology solutions. Today, CIOs help companies turn away from legacy solutions and outdated processes in an effort to modernize technology in their organizations. They are also always looking to make processes more efficient.

More recently, the role has evolved to include more cybersecurity-related tasks. Security tools are embedded in day-to-day IT activities and processes. The CIO may, for example, ensure there is a secure process for cloud-enabled applications in an organization. They may also use tools that provide a snapshot of overall security performance so they can view and report on the “big picture.” Some may even benchmark their own organization’s performance so they can see how the company’s security program stacks up.

The Role of the CISO

The CISO’s role is all about managing information security risk throughout the data lifecycle. This individual must know:

  • Where critical data is located: on-premise, across geographies and remote locations, and in the cloud.
  • How the organization’s IT infrastructure and systems are interconnected so that data can be secured in-transit and at rest.
  • Which vendors have access to the organization’s network and data, and the security posture of those vendors.
  • Where vulnerabilities exist across the attack surface, both internal and external.
  • What the company’s risk threshold is should the data become compromised.
  • How to protect this data while supporting the business’ objectives.
  • What to do in the event of a cyber incident.

CISOs are instrumental in defining and implementing a cyber risk management framework to properly govern, evaluate, and respond to risks involving the company’s protected data.

They are also heavily involved in vendor risk management (VRM) of the organization’s third and fourth parties. In this capacity, CISOs must:

  • Work to streamline the vendor due diligence process so that the company’s vendor ecosystem can scale easily to meet the growing needs of the organization.
  • Understand the security posture of vendors before they are onboarded and ensure they are within the company’s risk tolerance.
  • Make certain critical data is only accessible to those who need access to perform required tasks.
  • Continuously monitor third parties for cyber risk from procurement all the way through the vendor relationship.
  • Be prepared to react quickly when third-party or supply chain vulnerabilities and zero day events are detected.

As you can see, the role of the CISO carries enormous responsibility, and with cyber risk now firmly a boardroom issue, the CISO must also communicate information about the organization’s security posture to executive stakeholders clearly and directly, and couched in terms they will understand. This includes risks from new business partnerships and vendor relationships, new technologies, and the company’s financial exposure to cyber risk.

Read more in 3 Ways CISOs Can Brief Executives and Board Members on Cybersecurity IT Governance.

The CIO & CISO Relationship

Both the CIO and the CISO are there to protect and manage assets and information, but from two different viewpoints—and that’s a good thing. For example, the CIO’s function is to ensure systems and information are available and accessible to whomever needs them. Meanwhile, the CISO’s function is to ensure proper policies, controls, and insights are in place so that the security teams can discover and counter the daily threats the organization faces.

Whomever the CISO reports to, the relationship must be transparent, collaborative, and respectful. When the relationship is solid, the CIO and CISO can draw on each other’s expertise in making risk management a top priority, make smarter investments, and ensure security is embedded in every technology initiative.

It's Not CIO vs. CISO—It's CIO and CISO

Security cannot exist in a vacuum—thus, a company with a solid risk and security plan cannot rest entirely on the CIO or the CISO’s shoulders. Both sides must understand the other’s perspectives and priorities, leverage integrated cyber risk management solutions to guide and harmonize decision making, and report effectively to the board. When this happens, everyone wins.