This independence can lead to accountability issues and increase inefficiency
I do not agree with this view. Information Security function has been ever evolving since its conception. However, depending on the size of the organization and the way the security function or the CISO role is structured, in my view, giving independence to security function has its own complications. In an organization, the brand does not understand information security and fixing the loopholes needs the support and involvement of the CIO for strategic deployment without impacting business as usual.
The CIO and CISO usually serve as advisors to the organization. In a scenario where the security and IT roles are handled by two different leaders, this independence can lead to accountability issues and increase inefficiency. Being handling the twin roles of the CIO and CISO, I believe that every CIO wears the CISO’s hat before venturing into any technology. For instance, security is a critical element of any organization’s IT strategy.
To respond to increasingly sophisticated threats, CIOs have to think security-first before embarking on digital initiatives. The general perception is that a CIO doesn’t understand security and budgets are spent only on security tools. This is incorrect. A CIO spends enough time on understanding risks and considers all stakeholders before implementing any control or strategy. The benchmarking of level of information security cannot be done in silos and needs focused thinking which can arise only when the CIO handles the enterprise security function. The CIO is now in charge of enabling secure digital transformation. Both Security and IT roles go hand-in hand for the CIO. While deliberating before investing in digital technologies, the CIO wearing the CISO hat can focus on analyzing the total business risk.
The CIO while making sure that information is available and accessible can also ensure information is only available to only authorized users. Today the CIO wearing the CISO hat can also manage and protect information and assets. Clearly, the convergence of knowledge is good here. Many security controls are tailored for common users, and that can hinder business-as-usual. Independent enterprise IT and security functions will generate more conflicts and disruption in operations. A CIO wearing the CISO hat, on the other hand, can resolve any disruption. The combined role will ensure reduced financial loses, reporting security incidents, agility in services, visibility, and transparency within budgets.
The author is Head IT & CISO, Orbis Financial Corporation