Combining CIO and CISO roles – Inappropriate?
Combining CIO and CISO roles – Inappropriate?
Some clients are expressing their intention to combine the responsibilities and positions of Chief Information Officer (CIO) [together] with Chief Information Security Officer (CISO) to decrease costs. The two roles, although related, traditionally have had different priorities and aligning them and could potentially cause a serious conflict of interest. The role of CIO is an executive position which oversees information technology such as: hardware and software, testing, implementation, and support, in order to support enterprise goals. The CISO in a related capacity, is focused specifically on enterprise data and all aspects of security. Merging the complex and demanding roles of CIO and CISO could prove to be an imprudent organizational change. [I know you had links to def. of roles, I thought it might flow better this way…]
Consider the following:
“In addition to overseeing the hardware, software and data that help other members of the C-suite do their jobs effectively, the CIO must research new technologies, strategize how technology can provide business value and address the risks associated with digital information.”1
“The CISO must understand how to protect these systems with special hardware, software and secure business processes. Not only do CISOs secure computer systems, but they also create, implement and communicate the organization’s digital information security policies and procedures. In the event of a confidentiality breach, the CISO must know how to handle an emergency situation with an established business continuity plan (BCP).”2
Combining the two roles is a heavy load for any one individual to carry and maintain, if not impossible. [I would ask, CIO and CISO have a large support staff and don’t act alone – can you address that?] The positions of CIO and CISO require a tremendous amount of business knowledge and perceptive, technology comprehension, and regulatory requirements understanding. And this knowledge must continually be kept up to date. In fact, regarding the CISO role, current regulatory requirements state:
HIPAA – “A covered entity must designate a security official who is responsible for developing and implementing its security policies and procedures.”3
GDPR – “The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.”4
PCI DSS – “Assign to an individual or team information security responsibilities defined by 12.5 subsections.”5
Regulatory requirements aside, the assumption that the CIO can also act as an impartial CISO is asking a great deal [why not?]. Having a single individual making decisions that are in support of CIO and CISO endeavors can have them turning themselves into pretzels. [why?] There are some instances where there isn’t an easy compromise. [for example, what? or in what areas?] There are some instances when the actions of one is in direct opposition to the other. [when?] There must be a balance of interests and a single individual cannot be expected to achieve that balance. [could be difficult, but many positions have this issue – explain why it’s so dangerous for this particular in this situation]
When considering the substantial responsibilities of the 2 positions, as well as the potential conflicts of interests, and the industry-specific regulatory requirements, combining the roles of CIO and CISO is ill-advised. [is this only for businesses of a specific and above?]
- What is a CIO (Chief Information Officer) and What Do They Do? (techtarget.com)
- Chief Information Security Officer (CISO) – Definition from Techopedia
- Summary of the HIPAA Security Rule | HHS.gov
- Art. 37 GDPR – Designation of the data protection officer – GDPR.eu
- PCI DSS v3.2.1 Quick Reference Guide (pcisecuritystandards.org)