In most organizations, it is common for both the CISO and CIO to have responsibilities around cybersecurity—an issue increasingly pivotal to the effective running of any modern business. Clear, defined cybersecurity ownership can prove integral to successful organizational security positioning.
A recent ISACA survey of almost 3,700 global cybersecurity professionals found that while almost half (48%) of cybersecurity teams report directly into a CISO, one in four reports to the CIO. Despite the variation in reporting relationships, the survey revealed no significant differences regarding security function ownership between the CISO or CIO relating to views on increased or decreased cyberattacks, the ability to detect and respond to cyberthreats, and cybercrime reporting.
The report did, however, find variations relative to executive valuation of cyber risk assessments, how boards of directors prioritize cybersecurity, and strategic alignment. What’s more, the report also pointed to an increasing industry practice whereby the CISO reports to anyone other than the CIO, especially when the CISO’s scope includes governance, risk, and compliance, business continuity/disaster recovery, fraud, trust, and safety or crisis management.
Responsibility over cybersecurity matters can vary among CIOs and CISOs for reasons including an organization’s size, sector, and regulatory requirements. Nonetheless, the issue of who wears what type of cybersecurity ownership hat and why is increasingly critical as cybersecurity becomes more intwined with wider business elements.
Cybersecurity responsibility: CISOs vs. CIOs
Omri Braun, CIO at Lightico, sums up the distinction between the cybersecurity responsibilities of most CIOs and CISOs this way: “The CIO is more focused on ensuring that the right tools are used to maximize efficiency as well as identify trends that influence the company and continually find opportunities to use and produce better tech. The CISO is charged with ensuring that data security, integrity, and the like are being secured proactively.”
Richard Jones, global CISO at Orange Cyberdefense, agrees. “Typically, the role of a CISO is to look at security from an operational perspective, protecting the enterprise from cyber threats. A CIO, on the other hand, focuses more on building security by design into a business’s broader tech stack and ongoing digital transformation projects to drive resilience, boost user experience, and maximize efficiency.”
Cybersecurity architect Tee Patel goes as far to say that CIOs are often pushed to “walk the party line” in terms of security ROI, while CISOs are typically required to be far more independent, focused on protecting the organization itself. “Making the organization money and hitting targets (CIO) versus keeping it safe (CISO) are notable differences between the modern CIO and CISO positions,” he tells CSO.
These distinctions can be subtle. Amanda Finch, CEO of the Chartered Institute of Information Security says the difference in responsibility is best summed up by each role’s attitude to data. And Ian Glover, president of information security accreditation and certification body CREST, tells CSO it is increasingly difficult to completely separate the roles of CISO and CIO from a security perspective. In most organizations, they are too closely aligned and interconnected.
The CISO's cybersecurity responsibilities
Zoom CISO Jason Lee says his primary focus is protecting critical information, including customer data, employee data, and source code. “In security, it’s important to consider the bigger picture. This includes looking at third parties related to the business and assessing how best to manage any risks. I’m also responsible for arming employees as much as possible to ensure they’re prepared for and protected against security threats.”