Subscribe
About

CIO vs CISO – who’s the bigger chief?

A pandemic makes CIOs and CISOs strange bedfellows, and this year they’ve had to work together more closely than ever. What is the best strategy to keep your business focused, functioning and moving forward under unprecedented circumstances?
William Khumalo, Security Engineer (Huawei Lead), ViC IT Consulting.
William Khumalo, Security Engineer (Huawei Lead), ViC IT Consulting.

Digital innovation and technology-driven change have reshaped the global economy. Powered by digital technology, disruptive transformation has fuelled business growth, competitive shifts, changes in business models and accelerated digitisation.

“Changes such as these have placed IT at the centre of business strategy,” explains William Khumalo, ViC IT Consulting’s Security Engineer. “But there has to be a change in outlook – the focus of digital transformation in most organisations has been on speed, automation, optimisation and innovation.”

The pandemic has forced companies to ramp up their security strategy, with cyber criminals trying to find security gaps in a new ‘IT infrastructure everywhere’ workplace. With IT security budgets increasing, CIOs (chief information officers) and CISOs (chief information security officer) are working more closely together than ever before. While the relationship between a CIO and CISO is often described as ‘ever evolving’, it can also be adverse.

“The difference in views sometimes leads to disagreement and difficulty in the execution of business and risk policies,” says Khumalo. “The CISO now must identify himself or herself as a business enabler and, just as critically, he or she must be recognised in the same way by others from the boardroom to the executive suite to the various lines of business and departments that keep the organisation focused, functioning and moving forward on a day-to-day basis.”

While both the roles of the CIO and CISO have shifted thanks to a different approach to planning an infrastructure that involves security as a crucial functionality, it’s important to differentiate between what the two can bring to an organisation, either separately or working together. A CIO is in charge of standard operating procedure development, practice development, training, resourcing, planning during a system or project development life cycle. A CISO looks after the ever increasing security risks an organisation faces. “A CISO must establish the right security and governance practices to monitor and analyse potential security risks for the organisation,” adds Khumalo.

The case for better business continuity

CIOs have increased their visibility and authority by delivering regular updates about security through internal communication media they need to participate in this conversation on a regular and ongoing basis to build and maintain credibility. “As organisations are breached at higher frequencies and with greater impact, CIOs need more and deeper information to help them plan for and prevent damage,” says Khumalo. “As information security becomes more prominent in the corporate world, the collaborative roles of CIO and CISO are of utmost importance. Both require a mutual agreement in various risk critical decisions to ensure better business continuity and development.”

For certain critical IT deliverables, CIOs and CISOs embody the inherent tension between cyber security and operational requirements of a business. When the CISO reports to the CIO, the onus is on the CIO to decide whether to fund and support cyber security initiatives, or the core deliverables that the CIO is charged with delivering. If a compromise has to be made, the CIO may be tempted to sacrifice security over functionality or infrastructure improvements.

A key part of maintaining a solid CIO-CISO relationship is ensuring that neither party blindsides the other: “For instance, if the CIO takes information to a board meeting that seemingly ‘blasts’ the security side of the organisation without the CISO’s prior knowledge, that’s a quick way to erode the partnership,” adds Khumalo. “The only thing this will accomplish is cementing an ‘us versus them’ or a ‘CIO versus CISO’ mentality –which is futile. My advice is to ensure that the lines of communication are open and regularly used throughout this working relationship.”

Thanks to the coronavirus pandemic, organisations across the board have accelerated their digital initiatives and migrations to the cloud to support remote workers and customers in the past several months. And as a result, the state of the relationship between the CIO and CISO has generally improved as well.

“These are two powerful independent roles – I believe they should both report to the CEO to avoid limitations,” says Khumalo. “Digital transformation and security must go hand in hand. It’s important to account for vulnerabilities when creating your transformation strategy, especially considering that most transformation initiatives now include reworking IT infrastructure,” he ends. 

Share