CIO Influence
CIO insights Data Management Guest Authors

Three Reasons an Organization’s CISO Should be Independent of its CIO

Three Reasons an Organization’s CISO Should be Independent of its CIO

SchellmanAs the need for information security becomes more prevalent across every industry and cyberattacks reach an all-time high, now is the time for organizations to empower their Chief Information Security Officer (CISO). This investment encompasses a whole host of things, but chief among them is to make the CISO fully independent of the Chief Information Officer (CIO). 

For decades, technology and security have gone hand-in-hand, and this bifurcation may, on its face, seem counterintuitive. But it’s the only way to ensure that organizations have a holistic security strategy in place that will keep them secure, protect employee and business data, and minimize ransomware threats. 

Top Read Interview:

CIO Influence Interview with Anand Oswal, SVP and GM of Network Security at Palo Alto Networks

Eliminate Friction to Build Trust

A key motivator for organizations to separate the CISO from the CIO is to provide that CISO with greater management responsibility and control over the cybersecurity program. This removes potential friction with the CIO over things such as budgetary constraints or security strategies. Further, an independent CISO ensures that cybersecurity remains an organization-wide priority, and security strategies align with broader business objectives – not just broader IT initiatives. For example, according to a study from Moody’s, cybersecurity spending has increased about 70% since 2019 and cybersecurity spending as a part of the whole IT spend has increased from 5% to 8%. With this influx of spending, it’s more likely to see conflicting priorities from CIOs and CISOs, limiting overall IT and cybersecurity productivity.

PREDICTIONS SERIES 2024 - CIO InfluenceSo, in providing CISOs autonomy from the CIO, organizations can designate individual budgets for cybersecurity and IT. This, in turn, alleviates any potential conflict of interest between the CIO and CISO who likely have differing opinions on where funding is best spent. This allows for both teams to be more agile, keeping up with the ever-changing technology market. By taking this approach, partners and customers will see that security is not a simple check-the-box activity, fostering greater trust and a stronger relationship.

Top Cybersecurity Insights:

Maturing Cyber Defenses on the 2024 Horizon

Security at the Forefront of Company Culture

According to Proofpoint’s Cybersecurity: The 2023 Board Perspective Report, 53% of surveyed board members still view their organization as unprepared to cope with a cyberattack in the next 12 months. To remediate this issue, organizations need to shift their company cultures to a security-first mindset. A key step in making that transition is ensuring that investment dollars are spent wisely.

With Gartner predicting that worldwide end-user spending on security and risk management is projected to total $215 billion in 2024, an increase of 14.3% from 2023, organizations need to make the mindset shift soon.

An independent CISO ensures that the right security measures are adequately funded. 

Coupled with wise security spending, organizations need to ensure their teams aren’t working in silos to foster better cross-functional collaboration. With a mandate to oversee activity across departments and business functions, CISOs can easily understand each team’s unique needs and concerns and then communicate the importance that each individual employee has on the organization’s overall security posture. 

CIO Influence News:

Rackspace and VMware’s IT Outlook Findings Address AI Implementation Challenges

Minimizing the Impact of Disaster

With attacks at an all-time high, cyber incidents have become a matter of when, not if, for many enterprises. So, for organizations to be best prepared for these events, CISOs must have a direct line to the CEO to create well-rounded disaster recovery and business continuity plans. 

With only 5% of CISOs reporting directly to CEOs, according to Heidrick and Struggles, businesses need to shift their thinking to put CISOs in the best position to protect their organization. This ensures that the plan is best aligned with the organization’s overall cybersecurity strategy and risk appetite, as it results in more effective risk management practices. Further, this enables them to take a holistic view of the entire IT security landscape in the company, evaluating and addressing risks that impact legal, compliance, reputation, and operational continuity. In doing so, each business unit is much better prepared for threat actors and cyber incidents, leading to minimized impact, disruption, and downtime when attacked.

As the world continues to digitize and the threat of cyber-attacks persists, every company needs to be prepared for security incidents. By providing CISOs autonomy, it best positions CISOs to protect their organization. Only then can they have the necessary insight into the company’s security budget, the power to enact customized security and disaster recovery policies, and be able to foster a security-first culture where everyone across the organization plays their part in securing the business. 

[To share your insights with us, please write to sghosh@martechseries.com]

Related posts

Fluree Data-Centric Architecture Drives Transformation for Top Governmental Entities, Amidst Backdrop of Data Decrees

Proofpoint Introduces End-to-End Information Protection Framework to Address Complex Data Loss Prevention Challenges

Business Wire

Omar Tawakol Joins LiveRamp Board of Directors

CIO Influence News Desk