Vendor Risk Management

CIO Vs. CISO: Who Does What?

Melissa Stevens | June 6, 2017

Every organization handles security differently, based on their needs and internal structure — but in some midsized and large companies, both the chief information officer (CIO) and the chief information security officer (CISO) are involved.

The relationship between the CIO and the CISO is something that is often described as “sometimes adversarial” but “ever-evolving.” This is often due to the fact that CIOs and CISO aren't always considered true peers; in some organizations, the CISO reports into the CIO's business unit, causing a potential conflict of interest.

That being said, fostering a strong relationship between these two C-level roles is simply critical in managing security and risk.

Below, we’ll walk through some of the unique roles both the CIO and the CISO are known to take on and how these two individuals (and their departments) should work together to accomplish common goals.

CIO Vs. CISO: Who Does What?

CIO security agenda

The CIO Role

Traditionally, CIOs have always had an information systems and digital management focus. They are the owners of the IT side of the enterprise and typically support the business with technology solutions. Today, CIOs help companies turn away from legacy solutions and outdated processes in an effort to modernize technology in their organizations and always consider how to make processes more efficient. More recently, the role has evolved to include more cybersecurity-related tasks. Security tools are now frequently used in IT operations and embedded in day-to-day IT activities and processes. The CIO may, for example, ensure there is a secure process for Internet-of-Things-enabled applications in an organization — or they may look at how other organizations are handling their cybersecurity to benchmark their own organization’s performance using a security tool.

Here are 5 ways can CIOs to improve communication.

The CISO Role

The CISO’s role is all about managing information security risk throughout the data lifecycle. This individual needs to know where the critical data is located, what the company’s risk threshold is should the data become compromised, and how to protect this data while supporting the business’ objectives. CISOs are instrumental in defining and implementing a risk management framework to properly govern, evaluate, and respond to risks involving the company’s protected data. They are also heavily involved in vendor risk management (VRM) of the organization’s third and fourth parties — for example, ensuring critical data is only accessible to those who need access to perform required tasks.

CISOs have, at times, held a reputation for being something of a “no” man — frequently rejecting what they consider to be unnecessary business risks — so some organizations simply cut them out of the decision-making process. With the rise of cybercrime and the evolving threat landscape, this scenario should be avoided. Today’s CISO should have a firm grasp on how to report on the risk environment both holistically and within the organization in order to give the Board of Directors the information it needs to make decisions.

The CIO & CISO Relationship

Both the CIO and the CISO are there to protect and manage assets and information, but from two different viewpoints — and that’s a good thing. For example, today, the CIO’s function is to ensure systems and information available and accessible to whomever needs it—and the CISO’s function is to ensure proper controls are in place so that only those who actually need access to information are able, and the information stays where it is supposed to be.

A key part of maintaining a solid CIO-CISO relationship is ensuring that neither party blindsides the other. For instance, if the CIO takes information to a board meeting that seemingly “blasts” the security side of the organization without the CISO’s prior knowledge, that’s a quick way to erode the partnership. The only thing this will accomplish is cementing an “us vs. them” or a “CIO vs. CISO” mentality — which is futile. Be sure lines of communication are open and regularly used throughout this working relationship.

In Conclusion

Security cannot exist in a vacuum — thus, a company with a solid risk and security plan cannot rest entirely on the CIO or the CISO’s shoulders. Both sides should focus on understanding the other’s perspectives and priorities and in order to help the business accomplish its goals in terms of organizational security. If this happens, everyone wins.

Special thanks to Celia Baker, president of the IntelliGRACS Group Inc., for her insights into this topic.

cybersecurity benchmarking & security performance management

Suggested Posts

Mitigating Risk in Your Expanding Digital Ecosystem

As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...


FBI Alerts Companies of Cyber Attacks Aimed at Supply Chains

Earlier this month, ZDNet broke the news that the FBI had sent a cybersecurity alert to the U.S. private sector warning of an ongoing hacking campaign against supply chain software providers. According to the FBI, hackers are attempting to...


Guide: Fourth-Party Cyber Risk & Management

In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party...


Subscribe to get security news and updates in your inbox.