Sean Nourse
Sean Nourse Chief Solutions Officer

This blog explores how the changing face of cybercrime is transforming the CIO’s role and how the rocky relationship between CIOs and CISOs has evolved. These complexities are especially related to who reports to whom.

hands working on a laptop

Many organisations fail to acknowledge the importance of having a chief information officer (CIO) and a chief information security officer (CISO). They think that a CIO, as the person responsible for the business’ information, has to also keep this data secure.

But no company is immune to cybercrime and fighting it is a fulltime job. The threat landscape is evolving and becoming more sophisticated. Chances are the CIO will want backup to keep cyber-crooks at bay and corporate data secure.

This blog explores how the changing face of cybercrime is transforming the CIO’s role and how the rocky relationship between CIOs and CISOs has evolved. These complexities are especially related to who reports to whom.

What is the difference between a CIO and CISO, anyway?

The CIO

A CIO is the senior executive responsible for the information technology and computer systems that support business goals.

Here are a few CIO key focus areas

Move the company forward Digitally.  It is the CIO’s role to innovate. CIOs focus on taking the business into the digital era and assessing the technologies they need to stay competitive.

Keeping the ship afloat. The CIO is in charge of making sure that IT systems run smoothly.

The CISO

A CISO establishes and maintains business goals, and protects corporate information and technology assets.

Here are a few CISO key focus areas

Breach response and reaction responsibilities.The CISO should have the authority, and the budget, to adequately respond should a breach occur. And to do so as quickly and seamlessly as possible. This is essential to minimise the impact of the security incident.

Approval of existing IT investment plans. The CISO is tasked with evaluating IT investment plans from a security perspective, and should have the authority to veto anything that does not meet security standards.

Communicate effectively with stakeholders.When a security breach occurs, it is important to let key stakeholders know what is happening at all times. Because these incidents are technical in nature, it is important that the CISO can communicate with concerned parties as clearly and as simply as possible.

Cybersecurity and the boardroom

According to a 2015 IBM a sponsored study, board participation in cybersecurity is a key factor in decreasing costs. The report found that board-level involvement in security can reduce the expenses associated with a data breach by approximately $5.50 per record.

It is necessary to talk about cybersecurity in a way that the board members understand and appreciate. The IBM study outlined that boards generally lack confidence in cybersecurity’s capabilities against threats to corporates.

But, as boards back cybersecurity, and more and more companies acknowledge the importance of a CISO, the responsibility and workload of managing compliance and curbing threats is lessened. If you are unsure about whether to keep your security inhouse or hand it over to a third party, we have the perfect resource to help you make the right decision. Download our “Cybersecurity: In-House vs. Outsource” guide here.

New Call-to-action