Information technology and cybersecurity chiefs grew closer than ever in 2022, a dynamic allowing for more comprehensive threat mitigation, but raising new questions over responsibilities.
Many executives now say that as their roles around cyber appear to converge, they are working to sort out the dividing lines between their shared security and IT responsibilities.
A few years ago, if organizations were hit with a ransomware attack, the chief information officer “would come running” to the chief information security officer for help in dealing with the aftermath, said
the CISO of database service provider
Now, Ms. Smart said her security department works with CIO
to get ahead of ransomware attacks. About 50% of the company’s threat planning simulations, in which IT plays an active role, involve ransomware scenarios, according to Ms. Smart.
Across organizations worldwide, CIOs and CISOs are redefining their relationships, a shift reflecting both a surge in high-profile cyberattacks, and cybersecurity’s steady rise to the top of CIOs’ priorities—the result of continuing IT modernization, analysts say. In the most common corporate structure, CISOs report to CIOs.
“It is cybersecurity. …That is the highest priority,”
chief of research at technology research and consulting firm
The accelerated adoption of cloud computing and cloud-based software in enterprise technology environments has also made the cloud “the main target for top-tier attackers,” said Phil Venables, the CISO of
That, too, has forged closer ties between CIOs and CISOs, as they put greater focus on protecting infrastructure across cloud environments, Mr. Venables said.
The closer ties aren’t without tension.
In some cases, CIOs and CISOs have “difficult conversations” about what priority the IT team should give to tasks like software patching and system monitoring, which are crucial for mitigating cyber threats, said
the CIO of utilities provider Duke Energy Corp. Those tasks can add to the workload of an IT operations team, Ms. Titone said.
The Charlotte, N.C.-based power producer moved cybersecurity under Ms. Titone’s purview about a year ago, partly in response to cyber threats like the ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline in 2021.
“Being in a utility, specifically one of the largest, Duke’s kind of the 800-pound gorilla,” Ms. Titone said. “We generally have a target on our back.”
Though the CISO reports to her, Ms. Titone said security has “the biggest bark in the room.” On the other hand, it is “IT’s job is to enable the company, or else you can’t build tools and rules and components. That stops you from innovating,” she said.
the CIO of healthcare-products company
says although security sits within his priorities and responsibilities, he makes sure the CISO
‘s voice is heard. Ms. Allison is retiring at the end of the year, the company said, and will be succeeded by
“I’ve always made sure that it is a prominent function, reports at my leadership team table, it’s not buried in the organization, they have an independent voice,” Mr. Swanson said. “So when I talk to our board, I talk about our operational data, and my CISO does the presentations.”
the CISO sets corporate cybersecurity policies but works with the IT organization to execute them, said
the company’s chief information officer. But there is also collaboration between them where “security may set the policy, but my team is raising, ‘Hey have you thought about this?’” Ms. Stoddard said.
the CIO and former CISO of software maker
said IT and security have shared roles in evaluating the cybersecurity resiliency of corporate software purchases. And in securing a hybrid work environment, his joint cybersecurity and IT roles included adding a new cybersecurity layer on top of cloud-based software on company laptops.
MongoDB’s Ms. Smart said that she is often collaborating with Ms. Lieberman to secure applications developed by the company’s software engineers for internal use. “We have a lot of bespoke tools being a tech company,” she said. “If we find something and it’s got a critical vulnerability, they’ll fix it immediately. That’s the agreement.”
As the demand for corporate security leaders has grown—along with elevation and visibility of the role—there is renewed interest in the dynamics between the CIO and CISO, said
a Gartner adviser who works with IT leaders.
Mr. Michaels recommends that CIOs and CISOs “establish clear definitions of ownership, accountability as well as roles and responsibilities,” particularly for ransomware and malware attack scenarios.
“Regardless of the relationship between the CISO and CIO, it is important to remember that the business owners of information are ultimately accountable for protecting their own information,” he said.
— Isabelle Bousquette contributed to this article.
Write to Belle Lin at email@example.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8