I’m often asked what the difference is between a Chief Information Officer (CIO) and a Chief Information Security Officer (CISO). Both are senior level roles that are considered level executives in most organizations, but they have distinctly different focuses. Let’s break down the high level information technology framework of these roles so that you can decide which career path may make the most sense for you. CIO vs CISO – here we go!
Before we begin, let us define “it” in the context of CIO and CISO priorities. “It” is any technology system that a company depends on to provide the products and/or services that they provide. “It” is also any system that contains sensitive data. Generally speaking, sensitive data is information that would cause some sort of material harm, such as reputational damage, regulatory fines, legal risk, or loss of trade secrets / intellectual property.
A CIO is responsible for the technology and information that a company utilizes to be successful. Think of a CIO as the leader of the computer science teams at a company. Often innovation, budget control, advocating homogeneity within the technology stack of their organization. Security threats and risk management are core areas that a CIO should consider, but they are not focuses unless the company in question is at extreme cyber risk.
A CIO needs to be business aligned so that technology decisions are made in partnership with the objectives of the organization. The CISO recommends (and sometimes manages) security processes. Those processes certainly need to be examined by the CIO, but the role of the CIO normally falls to making “it” go and making “it” better. The definition of “it” is determined by company needs and technological advances.
A CISO has a very different focus. A CISO is the top security professional or information security manager at an organization. The CISO should have a healthy, productive tension with the CIO. For the majority of organizations, the CISO is not tasked with making “it” go or making “it” better – the CISO is tasked with making “it” secure enough to meet the risk tolerance of the organization.
The CISO needs to understand what the priorities are of the CIO and develop an information security program that meets the goals of the management team. The CISO is also responsible for addressing security incidents, digital forensics, and possibly regulatory compliance.
It is in the best interest of an organization for the CIO and the CISO to NOT be in lock step regarding the priorities of the technology team. In fact, a constant state of compromise between the CIO and the CISO is an ideal state in all but extreme cases.
The Target credit card breach of 2013/2014 illustrated this point extremely well. Target had a head of IT infrastructure AND cyber security in one person. This arrangement puts this individual in a constant conflict of interest, as making “it” secure sometimes gets in the way of making “it” less expensive or making “it” more efficient.
The roles of head of infrastructure and head of cyber security should have been separate and distinct people. The risk of cyber attacks or data breaches took a back seat to cost and efficiency, and Target paid a dear price when cyber criminals extracted millions of credit cards from them.
I’m often asked the best reporting structure for the CISO position. I work with many companies where the CISO role reports to the CIO, and I have seen this arrangement work productively. I have also seen arrangements where the CISO reports directly to the head of the legal department, the head of risk/compliance, or the CEO.
Personally, I am an advocate for one of the latter arrangements. The CISOs work to bring a reasonable level of cyber safety to a given organization. This is easier to accomplish when the CISO does not report directly to the CIO.
Some companies have the CIO and CISO as the same person. In full transparency, my opinion is that this is a dangerous approach. Without some sort of 3rd party oversight of the cyber security of the company, it is too easy for a CIO to focus on productivity, innovation or cost control. Cyber security concerns often find themselves taking a back seat to productivity, financial, or even political motivations within a company.