cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lamont29
Community Champion

CIO vs CISO

I wouldn’t want to offend the critics, but I recently engaged in a conversation with a fellow of the “old guard” mentality. We are bouncing ideas back and forth about the roles of the CISO and the CIO, where his legacy thinking encourages him to think that in ALL cases, the CISO should report to the CIO. I relented to just admitting that in certain circumstances, the CISO could report to the CISO and it could very well work fine. I however suggested that, let’s say that the organization having the two roles is a multi-national bank; in this case, maybe the CIO should be reporting to the CISO… but he’s the old guard who would never buy that logic!

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
4 Replies
Badfilemagic
Contributor II

Getting too hung up on the “blinking lights” aspect of information security is a mistake, and one that subordinates a a CISO to a CIO. I’d like to see a CISO peer level with a CIO, reporting under a Chief Risk Officer or CEO directly.

But they’re both the nerd kids of the c suite, running departments that are seen as cost centers to most orgs. And CISO seems to often not even be a “real” C-level, but just someone the execs can hang out as the goat when there is a breach, before spending millions lf dollars ok <insert vendor du jur> and promising they won’t let it happen again.
-- wdf//CISSP, CSSLP
Baechle
Advocate I

Lamont,

 

Hm... I don't know about that one.  I could see the CISO and CIO being peers, but that's probably as far as CISO would go up the chain because of the scope of responsibility.

 

I would think that you'd likely have a structure where even the CIO falls under another head, such as the COO or the CFO, and the CISO and CTO both under the CIO for a larger organization like a multinational bank.

 

CEO

|-CFO

.  |-CIO

.    |-CISO

.    |-CTO

 

 

CISOScott
Community Champion

I think the only way that the CISO succeeds if under a CIO is if they have a direct line to the CIO's boss or higher. Every organization I have seen where the CISO reports to a CIO the CIO has undoubtedly shot down an initiative the CISO was presenting. In some cases it was because it exposed the CIO's failings and the CIO did not want it brought to light. In other cases it was funding, staffing or another legitimate issue. So the biggest hang up is does the CISO have a way to bring something to the CIO's boss if it exposes incompetence/wrongdoing/etc. of the CIO.

 

The second fallacy I see when the CISO is under the CIO is the comingling of funding. Making the cyber security budget part of the overall IT budget, without a separate line item for it, is problematic. The CIO always has unfunded projects/priorities and since they hold the purse strings they can deny security related items. Then when a breach happens, the CISO is hung out to dry for not putting the correct security items in place. Also being able to tell how much a company is spending on cyber security can be difficult when it is comingled.

 

I think that as cyber security evolves we will see more separation of security from IT. I am starting to see a shift in this area. Before, in IT, anything doing with computers was IT. You bought anti-virus, it was IT. You had staff managing the AV, they were IT staff. You had an internet monitoring program, it was IT, etc. Now companies are starting to see the need to separate these functions. As we move more to cloud environments/consolidated data centers, we see IT staff being shuffled around and new positions being created.

 

I think we are still young in this field and you will see more separation of the CISO's from being under the CIO and them starting to be seen as peers instead of C-suite lite.

CISOScott
Community Champion

An update.

 

Look what happened at Change Healthcare. They hired a CIO to be their CISO and know some people are blaming Change HC for hiring an "inexperienced" CISO. Was he really inexperienced or just a convenient fall guy? I'm sure he had some cybersecurity knowledge but did he have enough?

 

In my career I have held roles on both sides CIO (CIO, Deputy CIO, IT Technician) and CISO (CISO, vCISO, Cyber security Division Director, ISSO, FISO, ISSR, and ISSM) so I feel I could do well in either role.

 

Any new thoughts on this?