CIO Vs. CISO: Who Does What?

Every organization handles security differently, based on their needs and internal structure — but in some mid-sized and large companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved.

This can set up a CIO vs. CISO standoff. Indeed, the relationship between the CIO and the CISO is often described as “sometimes adversarial” but “ever-evolving.” This is often due to the fact that CIOs and CISOs aren't always considered true peers; in some organizations, the CISO reports into the CIO's business unit, causing a potential conflict of interest.

That being said, fostering a strong relationship between these two C-level roles is simply critical in managing security and risk.

Below, we’ll walk through some of the unique roles both the CIO and the CISO are known to take on and how these two individuals (and their departments) should work together to accomplish common goals.

CIO Vs. CISO: Who Does What?

The Role of the CIO

Traditionally, CIOs have always had an information systems and digital management focus. They are the owners of the IT side of the enterprise and typically support the business with technology solutions. Today, CIOs help companies turn away from legacy solutions and outdated processes in an effort to modernize technology in their organizations. They are also always looking to make processes more efficient.

More recently, the role has evolved to include more cybersecurity-related tasks. Security tools are now frequently used in IT operations and embedded in day-to-day IT activities and processes. The CIO may, for example, ensure there is a secure process for Internet-of-Things-enabled applications in an organization — or they may look at how other organizations are handling their cybersecurity to benchmark their own organization’s performance using a security tool.

The Role of the CISO

The CISO’s role is all about managing information security risk throughout the data lifecycle. This individual needs to know where critical data is located, what the company’s risk threshold is should the data become compromised, and how to protect this data while supporting the business’ objectives.

CISOs are instrumental in defining and implementing a cyber risk management framework to properly govern, evaluate, and respond to risks involving the company’s protected data. They are also heavily involved in vendor risk management (VRM) of the organization’s third and fourth parties — for example, ensuring critical data is only accessible to those who need access to perform required tasks.

CISOs have, at times, held a reputation for being something of a “no” man — frequently rejecting what they consider to be unnecessary business risks — so some organizations simply cut them out of the decision-making process. With the rise of cybercrime and the evolving threat landscape, this scenario should be avoided. Today’s CISO should have a firm grasp on how to report on the risk environment both holistically and within the organization in order to give the Board of Directors the information it needs to make decisions.

The CIO & CISO Relationship

Both the CIO and the CISO are there to protect and manage assets and information, but from two different viewpoints — and that’s a good thing. For example, the CIO’s function is to ensure systems and information are available and accessible to whomever needs them. Meanwhile, the CISO’s function is to ensure proper controls are in place so that only those who actually need access to information are able, and the information stays where it is supposed to be.

A key part of maintaining a solid CIO-CISO relationship is ensuring that neither party blindsides the other. For instance, if the CIO takes information to a board meeting that seemingly “blasts” the security side of the organization without the CISO’s prior knowledge, that’s a quick way to erode the partnership. The only thing this will accomplish is cementing an “us vs. them” or a “CIO vs. CISO” mentality — which is futile. Be sure lines of communication are open and regularly used throughout this working relationship.

It's Not CIO vs. CISO – It's CIO and CISO

Security cannot exist in a vacuum — thus, a company with a solid risk and security plan cannot rest entirely on the CIO or the CISO’s shoulders. Only when both sides understand the other’s perspectives and priorities can the business accomplish its security goals. If this happens, everyone wins.

Special thanks to Celia Baker, president of the IntelliGRACS Group Inc., for her insights into this topic.