Thomas P. Gresham, Assistant Director within the County of Santa Barbara, discusses how to generate the best outcome from the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) relationship.
Traditional organizational frameworks place the CISO position as a direct report to the CIO. This structure has been challenged in recent years with the increasing importance of cybersecurity risk management. With the cyberspace threat landscape increasing, the CISO has been tasked with managing risk from multiple sources to include: legal/regulatory, business continuity, revenue loss, reputation, etc. Similarly, the technical scope is also increasing with the interconnectivity of industrial control systems such as building climate controls and physical security systems. Given this level of responsibility and oversight, the CISO should report directly to the CEO in order to effectively influence lines of business as well as have a direct communication channel to C-suite.
The CIO and CISO often have different missions and perspectives on how IT is to be treated in terms of funding, program management, and strategic vision. The CIO provides strategic leadership and oversight for IT systems, processes and personnel that enable the organization’s core mission. It is the responsibility of the CIO to lead IT staff, innovate and maintain budgets. The CISO is focused more on managing risk in terms of how information and services are delivered. Priorities will differ and it is for this very reason that the CISO should not report directly to the CIO as it would compromise the CISO’s ability to operate independently without undue influence.
Having served in both capacities, I have learned that both missions can work hand-in-hand in a mutualistic relationship. When the CIO and CISO are peers reporting to the CEO, funding sources and missions can be defined and applied to where little conflict arises. The CIO is given a budget to maintain, grow and transform the business through innovation, automation and other activities directly tied to enabling organizational business goals. The CISO requires a separate funding source as his/her mission entails ensuring risk is properly managed to a level commensurate to the value of the information, service or asset. Managing the risk to an organization should be funded through a fund outside of the CIO’s IT capital and operational budgets as risk management is akin to safety, insurance and other more traditional risk management functions. This CISO budget can then be tailored specifically to the level of risk the organization is willing to accept.
" When the CIO and CISO are peers reporting to the CEO, funding sources and missions can be defined and applied to where little conflict arises "
The CIO should embrace opportunities to strengthen IT services through the application of proper security measures as this not only increases resiliency but also demonstrates due diligence in the event that a breach and subsequent lawsuit ensues. Similarly, CISO-driven audits and checks are opportunities for the CIO to draw attention to needed improvements in IT services.
The CIO and CISO are not in competition for resources as the focus area differs for each mission. Conversely, both roles are interdependent and are a partnership in delivering IT services that enable the business and at the same time, provide appropriate security and resilience. CEOs that recognize and appreciate how this relationship can bring the best value to an organization will offer both the CIO and CISO equal seats at the table.