Why You Need The CISO And The CIO

No photo availableCIO Africa authorByCarol Odero
8 min read
These roles of CISO (Chief Information Security Officer) and CIO (Chief Information Officer) are distinct but complementary, co-existing.

The DDoS cyber-attacks that mired Kenyans in dead-end services have brought to the  forefront the roles of the CIO and the CISO, while the ongoing Cybertech Africa Summit in Kigali, Rwanda under dx⁵’s tutelage, highlighted the role of the CISO.

These roles of CISO (Chief Information Security Officer) and CIO (Chief Information Officer) are distinct but complementary, co-existing in an organisation’s tech and cybersecurity worlds. While there are organisations that have both CISOs and CIOs, it has not always been clear who does what.

Security Intelligence breaks down the roles thus. “The CIO is in charge of IT, while the CSO handles all security across the board, physical and digital. The CISO handles data, systems and network security. Originally this position was created to handle cyberattacks against a financial entity, but today, the role of the CISO is much more complex.”

The article, How A CISO’s Executive Role Has Changed further adds “The CISO’s responsibilities include leading the team handling real-time threats and mitigation of attacks, overseeing the security architecture and the protection of the corporate infrastructure, and implementing security policies and management designed to foresee and address risk. These can include security awareness training and creating repair protocols.”

Both roles can be traced back to pre-Y2K era. First coined in the early 1980s the CIO emerged in response to the rise of IT in business. Once organisations adopted computer systems and begun to identify the strategic value of tech, a senior executive who would oversee IT operations and align it with business objectives became necessary.

William Synnott and William Gruber first articulated the chief information officer term in their 1981 book Information Resource Management: Opportunities and Strategies for the 1980s. To them, the CIO role naturally evolved given the growing prevalence of technology resources in an organisation. In A Brief History Of The CIO, Jonathan Huer states “In their vision, the CIO would be a C-level executive, sharing power equally with the chief executive officer (CEO) and the chief financial officer (CFO),” adding that “Whether that equally shared power within the C-suite has been achieved is subject to debate, but the CIO role is now ubiquitous, and Synnott and Gruber’s seminal book—which focused on CIOs in finance—turned out to be foundational for CIOs in many fields.”

“85 per cent of CIOs agree that the CIO is becoming a changemaker, increasingly leading business and technology initiatives,” stated CIO.com report, Building Business Strategy: State of the CIO, 2023. “This year’s focus on IT transformation and modernisation hasn’t diluted demand for CIO leadership. More than half of respondents to the 2023 State of the CIO survey (55 per cent) said they proactively identify business opportunities and make recommendations regarding technology and provider selections while 23 per cent said they advise on business need, technology choices, and providers.”

CIO Dive notes “But the CIO has always been tightly tied to operations, too.  Synnott and Gruber originally predicted CIOs would be a pipeline to becoming COOs.” Some of the CIOs who have followed this path regionally include Martin Mirero who evolved from CIO/Director ICT (Huduma Kenya Secretariat), to CTO (Ajua) and VP, Operations & Business Development (:brij) and Jack Maina, the Group CIO & IT Programme Director and CIO of the Year 2015, which propelled him to Group COO at Britam.

CISO’s were an inevitability. Sometime in late 90s, early noughties, there was a rise in cybersecurity threats. These were traditionally handled by the IT department. But the viruses, worms, and denial-of-service attacks made information security necessary. Pressed into a corner, organisations realised they may just need someone dedicated to handling cybersecurity, and just like that, the CISO was born. Once again, we turn to Citibank (a division of Citigroup) and to Steve Katz as the first recorded CISO.

Ciso Mag have observed the transformative role of the CISO. In their piece Today’s CISOs Wear Multiple Hats: The Role Is Evolving, it reads “Today’s hyper-connected workplace requires CISOs to wear multiple hats – technologist, evangelist, investigator, negotiator.” Interestingly, in his commentary The Interrupt-Driven Life Of A CISO, the former CISO turned blogger John Masserini advocates for not being a CISO. “A couple of years ago, I was interviewed by ESG on CISO stress and burnout and the impact it was having on industry leadership. In 2020, Nominet reported that 88 per cent of CISOs were “moderately or tremendously stressed” and 48 per cent said the role has negatively affected their mental health. One can only imagine how these numbers have changed following the pandemic and a couple of years’ worth of massive ransomware attacks.”

The roles of CIO and CISO have evolved and become increasingly interconnected. It is now evident that technology and cybersecurity are closely linked. That they need to be paired to protect critical data and infrastructure. In fact, now it is not so rare to find an organisation that has both a CIO and a CISO.

Below are some of the distinctions in their roles.

The Cybersecurity Leading CISO

  • The CISO is primarily responsible for the organisation’s cybersecurity strategy, governance, and risk management. They lead efforts to protect the organization’s sensitive information and critical assets from cybersecurity threats.
  • Security Architecture: The CISO oversees the design and implementation of the organization’s security infrastructure, including firewalls, encryption mechanisms, access controls, and intrusion detection systems.
  • Threat Detection and Incident Response: The CISO leads the team responsible for monitoring and detecting security threats, as well as responding to cybersecurity incidents promptly and effectively.
  • Security Policies and Compliance: The CISO develops and enforces cybersecurity policies, procedures, and best practices. They also ensure that the organization complies with relevant cybersecurity regulations and industry standards.
  • Security Awareness and Training: The CISO fosters a security-aware culture within the organization by conducting cybersecurity awareness programs and training employees to recognize and respond to potential threats.
  • Focus on Cybersecurity: Cybersecurity is a critical aspect of modern business operations, as cyber threats continue to evolve and pose significant risks to organizations. Having a dedicated CISO allows the organization to prioritize cybersecurity efforts, develop comprehensive security strategies, and implement robust measures to protect sensitive data and critical assets.
  • Specialised Expertise: A CISO should have in-depth knowledge of cybersecurity principles, threat landscapes, risk management, and compliance.
  • Risk Mitigation: Cybersecurity risks can have a profound impact on an organization’s reputation, financial stability, and legal compliance. Having a dedicated CISO who focuses on identifying and mitigating these risks adds an extra layer of protection against potential cyber threats.
  • Compliance and Regulatory Requirements: With the ever-changing landscape of data privacy and cybersecurity regulations, having a CISO to monitor compliance and ensure adherence to relevant laws is crucial. This ensures that the organization remains compliant with industry standards and legal requirements.
  • Cybersecurity Incident Response: In the event of a cybersecurity incident or breach, the CISO is responsible for leading the incident response team, investigating the incident, and coordinating the remediation efforts. This allows the CIO to focus on maintaining business continuity and minimizing disruptions.

The Strategic Executive CIO

  • Technology Strategy and Operations: The CIO plays a crucial role in setting the organization’s overall technology strategy and aligning it with the business objectives. They oversee IT infrastructure, application development, resource allocation, and business continuity planning, ensuring that technology supports the organisation’s operations effectively.
  • IT Infrastructure and Operations: The CIO oversees the management and maintenance of the organization’s IT infrastructure, including servers, networks, data centers, and cloud services.
  • Application Development and Integration: The CIO leads the team responsible for developing, implementing, and integrating software applications that support the organization’s operations and improve efficiency.
  • IT Budgeting and Resource Allocation: The CIO manages the IT budget and allocates resources effectively to support IT projects and initiatives.
  • Business Continuity and Disaster Recovery: The CIO ensures that the organization has robust business continuity and disaster recovery plans in place to mitigate potential disruptions to IT services.
  • Specialized Expertise: A CIO should possess a broad understanding of IT systems, emerging technologies, and business processes.
  • IT Governance and Compliance: The CIO ensures that the organization’s IT practices align with regulatory requirements, industry standards, and internal policies. They oversee IT governance frameworks and ensure compliance with data protection and privacy regulations.
  • Business Alignment: The CIO ensures that technology investments align with the organization’s business goals and objectives. They work closely with other business leaders to understand their needs and deliver technology solutions that add value.
  • Vendor Management and Procurement: The CIO manages relationships with technology vendors and oversees the procurement of IT products and services, negotiating contracts and ensuring cost-effectiveness.
  • IT Service Delivery and Support: The CIO is responsible for ensuring that IT services are delivered efficiently, and that IT support is readily available to address user needs and resolve technical issues.
  • Digital Transformation: The CIO leads the organization’s efforts in digital transformation, leveraging technology to drive innovation, improve customer experiences, and create new revenue streams.
  • Technology Risk Management: While the CISO focuses on cybersecurity risk management, the CIO addresses a broader spectrum of technology risks, including operational, financial, and strategic risks related to IT initiatives.

Ultimately, though, the CISO and the CIO need to collaborate for the alignment of cybersecurity measures with the overall IT strategy. It requires effective communication and coordination to minimise conflict and encourage the cohesion of tech and security.

 

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co