Harmonizing the CIO and CISO Roles to Bolster Security

Today’s evolving attack surface calls for a closer alignment between the chief information officer and chief information security officer roles.

Nate Kurtz, Chief Information Officer

October 3, 2023

4 Min Read
female and male business colleagues shake hands
Rawpixel Ltd via Alamy Stock

Security and compliance have only gained importance as each year passes. Amid today’s ever-changing security vulnerabilities, enterprises face a multitude of challenges and must ensure they have the right solutions to monitor and protect against attacks on valuable data. And as ransomware continues to plague organizations, many are also taking proactive steps to promote better security across their people. The CIO and the CISO are two critical roles that should evolve just as is today’s threat landscape.

Organizations should establish an effective relationship between the CIO and CISO roles to bolster protection. Alignment between the two roles is instrumental in driving security and compliance forward, and organizations should consider ways to harmonize these critical positions.

The success of the CIO and CISO relationship means operating as an interdependent team, focusing on a shared vision and roadmap where the CISO designs the strategy and company level approach, and the CIO executes in support of the strategy. It’s also important to note that the two roles have evolved over the years, naturally resulting in the ensemble.

Examining CIO and CISO Responsibilities

One way to develop a robust security and ransomware protection plan across an organization is to ensure the CIO and CISO work closely together to ensure organizations can meet compliance and promote better security hygiene.

Related:2023 Cyber Risk and Resiliency Report: How CIOs Are Dueling Disaster in 2023

Previously, the CISO was responsible for an organization’s security while the CIO managed technical innovation and implementation. However, the CISO should be responsible for looking into broader security threats in the market while the CIO handles tactical execution. These shared responsibilities ultimately create a closer-knit relationship to enhance security measures. Both roles certainly vary from organization to organization. For example, some CISOs may be responsible for frontline cyber-defense duties while others focus on oversight responsibilities. Depending on an organization’s size and industry, some CISOs may handle both.

At its core, the CISO role requires a solid understanding of technology, leadership, and management. They also need to understand the day-to-day business functions, working closely with industry regulators and board members, which has become more prevalent than ever.

Demands for the CIO role also continue to increase, with key focus areas including business insight, automation, and technical innovation to scale the business, which is becoming increasingly important in the age of generative AI. Before, the CIO role focused on system availability and simply “keeping the lights on,” but today, it’s looking into how to unlock data for organizational and customer insights best.

Maintaining a security-first posture involves reinspecting old processes and modernizing approaches to simplify operations, scale, and grow your technology stack. CIOs have always needed to look at digital transformation through this lens, ensuring that projects align with business goals while making the business more effective. Even in a small way, it’s of the utmost importance for CIOs.

Establishing Alignment in Today’s Attack Surface

Recent research found that 85% of organizations suffered at least one cyberattack in the last 12 months, compared to 76% in 2022. The results also showed that the roles closest to the challenges of cyber events -- like the CIO and CISO -- are often the least satisfied with the partnering between teams. In the face of ransomware specifically, both roles must strategize new methods of protection to save the organization from significant recovery costs, business disruption, and damaged reputation. Both roles should focus on working together to develop data recovery plans, including steps to take should a ransomware attack occur.

The innovation of global cybersecurity groups and the evolving cyber threat landscape will always be the most important. Generative AI only adds to the complexity of attacks, meaning that the CIO and CISO must work together to enhance the resiliency of the business and prepare for the inevitable attack.

Both roles face heightened responsibility for threat detection and resolution and ensuring effective security hygiene, which calls for a tight alignment between the CIO and CISO roles. Driving and maintaining security across all endpoints means that both should be looking at avenues that foster a culture of innovation and resiliency as the basis of everything they do. The CIO should also manage the organization’s technology infrastructure, ensuring smooth operations as the CISO focuses on protecting that infrastructure from cyber threats.

In today’s ransomware-heavy world, the CIO and CISO should look at initiatives that improve their business resiliency against threats, such as immutable and portable backups, to ensure data integrity in an attack. The CISO should be responsible for spearheading the security roadmap and vision, while the CIO ties in the technology component and validates the organization’s ability to execute it.

Despite their traditionally different focus areas, the CIO and CISO roles are deeply interconnected and play critical roles in protecting the organization. A healthy connection requires their work to be mutually dependent, and this starts with a focus on priority business outcomes rather than focusing on specific technologies. Striking a balance involves consistently discovering more collaboration opportunities as the attack surface and business priorities shift.

About the Author(s)

Nate Kurtz

Chief Information Officer, Veeam

Nate Kurtz is the Chief Information Officer at Veeam, a leading data protection, backup, and recovery company. Previously, he served in various senior roles, including the Technology Services leader at F5, a multi-cloud application services and security company. Nate completed his college education at the Michael G. Foster School of Business at the University of Washington. Nate also served in the US Army as a member of the 2nd Ranger Battalion.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights