CISO and CIO Convergence: Ready or Not, Here It Comes

COMMENTARY

As IT-related business requirements change, the roles and responsibilities of IT leaders change along with them. This has certainly been the case for chief information officers (CIOs) and chief information security officers (CISOs), with digital transformation intensifying their shifting roles. The CISO's stewardship of controlling digital risks is so essential to protecting today's enterprises and integral to successful digital transformation that their roles increasingly are overlapping. How or if these roles continue to intertwine has yet to be determined, but they are most definitely converging, highlighting cybersecurity's trajectory from the server room to the boardroom.

If you look back 20 years or so, it's clear these two roles have been coming together for quite some time. Back in the early 2000s, CIOs were tasked with overseeing and managing an organization's IT infrastructure and applications — usually housed in company-owned data centers, accessed from company-owned campus and branch office networks by people using company-owned computers. Their mandate was to ensure operational efficiency, business continuity, and risk management, and align IT to business goals and control costs. However, with IT trends such as digital transformation, bring your own device (BYOD), cloud computing, and more remote access, fewer CIOs are managing infrastructure and hardware directly. Instead, they act as brokers of IT services.

While CIOs are still responsible for setting and meeting technology goals and for staying on budget, their primary mandate is determining how the company can harness technology to innovate, and then procure and manage those resources. While plenty of companies still maintain large, on-premise IT estate, it's just a matter of time before they digitally transform. Either way, the CIO role has become markedly less operational over time.

On the other hand, the profile of CISOs has been growing since the early 2000s, set against a non-stop carousel of compliance mandates, data breaches, and emerging cybersecurity threats. While data breaches may have forced businesses to pay attention to security, it was compliance mandates that funded it. From HIPAA and PCI DSS to GDPR, SOC 2, and more, compliance has been a double-edged sword for CISOs.

Compliance increased the role of cybersecurity teams and made them more visible across IT and the business as a whole, providing CISOs with bigger budgets and increased latitude on how to spend it. However, all the effort they put into compliance did little to stymie phishing, ransomware, big breaches, and/or malicious insiders. Initially, this reinforced the perception of security as a financial and operational sinkhole, forcing CISOs — many of whom skew technical — to "speak the language of the business." And so, they did.

At the same time, the visibility and importance of digital security and compliance at the board level has forced CIOs, typically the main voice of all things digital, to get increasingly involved in understanding all things cybersecurity. This serves to further blur the roles.

The Digital Transformation Factor

And then came digital transformation, which presented an opportunity to fundamentally improve cybersecurity, or at a minimum, to shift it left, even though some may argue the reality hasn't lived up to the promise. Either way, the strategic and tactical decisions inherent to digital transformation required CISOs to work with CIOs in greater lockstep than ever before. CIOs still steer the ship, but the CISO has become less of an afterthought and more of a proactive partner who is fully involved in operational decision-making from the get-go.

As companies continue to embrace the cloud, software-as-a-service (SaaS), and remote work, the million-dollar question is, How will things shake out? At this point there is no single, obvious path, nor should there be. How these roles intersect and come together — or if they even should — depends on so many factors, such as company size, industry, existing org charts, culture, existing IT setup, and future digital transformation plans, to name a few. Some security leaders feel things are working well as is. Others propose breaking it into two distinct functions: A business-oriented executive focused on risk management and compliance, and a more technical executive focused on threat prevention, detection, and response.

Regardless of how the two roles evolve, these shifts underscore the importance of collaboration and alignment between these two IT leaders for successful digital transformation, and beyond.