The combination of the roles of Chief Information Officer (CIO) and Chief Information Security Officer (CISO) is slowly becoming a trend in the business world as it has the potential to solve any potential conflict of interest between running a smoothly functioning IT system and a secure IT system. Although there is no current job role defined as CIO/CISO, there is an increasing belief that it is the direction of the future for SMEs, as having one person handle the complex requirements of both roles in larger enterprises may be too difficult.
Jadee Hanson, CISO at Code42, and Sandy Dunn, CISO at BreachQuest (now CISO at Shadowscape), have both accepted this dual CISO/CIO role and have their own views on the matter. Dunn believes that both roles serve the same purpose, which is to help or ensure business profitability, and should work together as effectively as possible to maximize business efficiency. Hanson’s approach to cybersecurity showed the CEO that she could seamlessly take on the additional CIO role. Dunn has a background in tech and believes that it is like a car, where the driver is the business that needs to reach the finish line as quickly and safely as possible. IT provides the engine, and security specifies the airbags, the type of brakes and the standard of tires.
The pressure for performance still comes from other business leaders and is now directed at the combined CISO/CIO, and this can lead to a new impasse between the CISO/CIO and other business leaders. Dunn and Hanson both have solutions to this problem: requiring the business leader or department that wants to accept a risk against the advice of the CISO to sign off on that risk. This usually does the trick, and their success is partly attributed to the stronger hierarchical status enjoyed by a CISO/CIO over the CISO alone.
There are ethical issues to consider when it comes to risk acceptance. Dunn gives the example of a supplier offering goods at a heavily discounted price, which raises questions of third-party cybersecurity risk and potential risk to the company’s customers. Hanson also talks of ethical issues, such as what the CISO should do if senior management asks them to look the other way for good business reasons.
Recruiting staff is also a different matter for the combined roles, as IT and cybersecurity are both very different. IT can be taught in schools, but cybersecurity is best learned ‘on the job’. Additionally, there are psychological skills that differentiate the two, and Hanson tends to recruit horses for courses. Dunn, however, is more interested in the person than any prior experience, and may eventually choose to place a recruit into a particular role, but to begin with she looks at the person as a whole.
Overall, the combination of the CIO and CISO roles is slowly becoming a trend in the business world, as it has the potential to solve any potential conflict of interest between running a smoothly functioning IT system and a secure IT system. Although there are ethical considerations that need to be taken into account, and recruiting staff is a tricky matter, the benefits of combining the two roles outweigh the drawbacks.