Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10/19/2016
03:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CIO-CISO Relationship Continues To Evolve

The CISO has traditionally reported to the CIO, but this is changing as security becomes more important. How will this change their relationship, and how can they better work together?

For years, the security pro was one of many staffers under CIO management. Now the CISO is becoming more prominent as businesses buckle down on security.

This is causing a shift in the working relationship between the two C-level executives. While the CIO is responsible for leadership, vision, and IT implementation to propel the business forward, the CISO has a critical role in providing insight and guidance to ensure the strategy is secure.

"The CISO role is becoming more important in the relationship with the CIO," says Dave Mahon, VP and CSO at CenturyLink. "Security is now, in essence, table stakes for delivering on your corporate strategy." 

Part of this is due to the evolution of security. Corporate networks are increasingly complex and support more connected devices than ever, especially with the growth of BYOD programs. Hackers are using more sophisticated methods to breach organizations and steal data.

In this dynamic environment, the CISO identifies vulnerabilities and advises the CIO on future plans, Mahon explains. The two review a road map, look at systems and data throughout the organization, and the CISO provides guidance. For example, he/she may advise the CIO not to use a particular vendor because it's a security risk.

"There is no corporate structure standard but today, the majority of public companies still have the CISO reporting directly to the CIO," says Jeremy King, president at Benchmark Executive Search.

Every company views risk management differently, he continues. Some businesses have their CISO report to the general counsel, head of compliance, COO, or CEO. In addition, the CISO and CIO are becoming more empowered to veto key strategic decisions.

"The CISO has a seat at the boardroom table," says Dawn-Marie Hutchinson, executive director for Optiv's Office of the CISO. "They're saying, 'Let's talk about what the business is doing strategically and how we can enable that functionality.'"

This used to be the CIO's conversation, she says, but reporting structure is changing to prioritize security issues and projects. Businesses want to know how they can maintain the privacy of information systems, and the attention is giving CISOs more face time with board members and execs.

Greg Conti, principal at IronNet Cybersecurity, says he foresees the requirements for CISOs increasing over time, especially as more highly publicized breaches continue to occur.

"The CISO must understand technology, policy, law, compliance, risk, and myriad other areas," he explains. "These are very diverse topics and this complexity requires a strong team because no one can be an expert in it all."

As the CISO becomes critical to business decisions, the CIO's role is changing, says Hutchinson. The CIO is more frequently being relegated to operational tech and handling issues like outsourcing, cloud usage, and network availability -- all issues driving them away from security.

Change and Challenges

Going forward, both the CIO and CISO will face distinct challenges as their roles and relationship continue to evolve.

The role of the CIO won't go away, says Hutchinson, but it will be redefined as we know it. She predicts the CIO will have greater responsibility over innovation. Companies that innovate are those with strong CIOs leading the charge, she notes.

The challenge for CIOs will be deploying new technologies. Oftentimes they're so preoccupied with keeping the lights on, CIOs don't have time to make the IT department more effective in providing and supporting tools that meet changing business needs, she says.

Mahon poses another question that will challenge CIOs and CISOs as the threat landscape evolves: "One of the challenges will be, how do you meet the addressable market, the needs of customers, in a way that still aligns with your own corporate-approved risk management posture?" 

This question will require senior leadership teams that establish the risk management posture to strike a balance between speed-to-market and security. They can choose to go to market quickly, but in doing so, they risk long-term repercussions.

The changing roles of the CISO and CIO may affect spending, says Conti.

"I do see the CIO's role as being potentially less glamorous than that of the CISO in some ways," he notes. "For example, the classic challenge of the CIO is what when everything is working nobody cares, but as soon as something stops working, it becomes a major problem. This challenge is hard to overcome, whereas the CISO has a compelling security narrative driving their requirements."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
10/22/2016 | 4:20:06 PM
e.g., DHHS
Indeed, the CISO of the US Department of Health and Human Services will no longer report to the CIO because of conflict of interest issues; I'm proud to have written an InformationWeek piece that was cited in a legislative report recommending having the DHHS CISO report to the DHHS General Counsel.

Legislative report: energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/114/Analysis/20150806HHSinformationsecurityreport.pdf

IWK piece: informationweek.com/strategic-cio/cyber-security-and-the-cio-changing-the-conversation/a/d-id/1320660
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28815
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
CVE-2021-3535
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
CVE-2021-32685
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
CVE-2021-32623
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
CVE-2021-32676
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...