If your company has a CISO, then it's probably also got a CIO — Chief Information Officer — and maybe even a Chief Technology Officer (CTO). The CISO may report to the CIO, and the CTO likely does too.
Ideally, the holders of these three jobs would work harmoniously together. But they're often at odds because the roles almost seem designed to work at cross-purposes.
"There's a big disconnect between the CIO, the CTO, and the CISO," says Theresa Lanowitz, Chief Cybersecurity Evangelist and Head of Thought Leadership at LevelBlue, a managed security service provider jointly formed by AT&T and WillJam Ventures. "The CTO is all about
innovation and doesn't really put much emphasis or focus on risk. The CIO is assuming that everybody else is
managing risk, and the CISO is the one who's saying, 'No, you can't do this.'"
The CIO also has to bridge the gap between the CISO and the CTO while at the same time supervising the IT staff, pitching the top brass for budget increases and taking the long-term view of how technology can help the organization.
This clash of roles can hold back a company's efforts at
cyber resilience, which is defined as its ability to rapidly bounce back from a system-wide network meltdown or other large-scale information-technology failure.
Whether an IT outage is caused by a
ransomware attack, a power blackout or a bad software update, what matters in cyber resilience is how quickly and thoroughly the organization can get its crucial computer systems and networks — its entire IT estate — back up and running.
For maximum cyber resilience to be achieved, the CIO, CISO and CTO need to be on the same page. And the impetus for organization-wide cyber resilience often needs to come from the very top, from the CEO or the board.
Cyber resilience "requires all the stakeholders in the organization to come together to collaboratively work on a problem," says Lanowitz. "It requires ongoing collaboration and communication across stakeholders in the business. From the
leadership on down, you have to set the agenda that says cyber resilience is something that we're concerned with."
Think different
CIOs, CISOs and CTOs clearly had divergent attitudes toward technology and risk in a recent opinion survey, commissioned by LevelBlue, that polled 1,050 C-suite and senior executives across a range of industries in 18 countries. The results were published in
LevelBlue's 2024 Futures Report and a companion piece, the
2024 LevelBlue C-Suite Executive Accelerator.
Two-thirds (66%) of CISOs felt their budgets didn't allocate enough toward
proactive cybersecurity measures that would prevent incidents instead of just reacting to them. Barely half — 53% and 55%, respectively — of CTOs and CIOs agreed.
Likewise, 73% of CISOs said the practice of cybersecurity was "unwieldy, necessitating tradeoffs" with competitiveness and efficiency, while only 58% of CISOs and CTOs felt the same way. The same percentages were found in attitudes about
AI deployment, with many more CISOs feeling "more pressure to implement AI strategies" than CISOs or CTOs.
On the flip side, nearly three-quarters (73%) of CTOs said that
regulations and compliance stifled competitiveness. That's in contrast to 61% of CISOs and 55% of CIOs who, according to LevelBlue, tended to "view compliance as an integral component of risk management and operational stability."
And while 74% of CIOs and 73% of CISOs worried about
supply-chain attacks, only 64% of CTOs were concerned. The single issue that all three could agree on was
cloud computing, which 83% of CIOs, 82% of CTOs and 80% of CISOs were happy about.
"The pressure to implement AI and the impact of compliance reveal significant divergence, with CISOs feeling the operational pressures more acutely, while CTOs are more concerned about barriers to innovation," summed up LevelBlue. "CISOs focus on managing immediate security challenges, and CTOs emphasize maintaining competitive technological advancement."
All together now
How can you get the CTO, CISO and CIO to work toward the common goal of cyber resilience? Lanowitz says one key step is to give the CISO an equal voice.
"In many cases, the CISO is reporting into the CIO or the CTO, and not necessarily reporting into a top executive," she says. "If the CISO is reporting to the CTO, everything looks like the business of computing. The CISO isn't getting a fair opportunity to be able to communicate what needs to be done."
In its 2024 Futures Report Executive C-Suite Accelerator, LevelBlue lays out several more steps that the CISO, CIO and CTO can each take to better cooperate. We'll look at the top three from each.
CIOs need to:
1. Improve collaboration across departments by "working closely with the CISO and CTO to ensure that external and internal risks are comprehensively assessed and mitigated." Lanowitz told us it's best to "break down the silos that exist in the organization."
2. Promote proactive cybersecurity investments by "highlighting the long-term benefits of forward-looking cybersecurity measures," as opposed to strictly reactive ones. When it's time for the CIO to sell the idea to the board, the CISO can provide crucial backup.
3. Leverage cloud-computing benefits, something CIOs, CISOs and CTOs can agree upon. "The CIO should leverage these advantages to enhance cybersecurity resilience," says LevelBlue, by "adopting cloud solutions that provide robust security features and ensure data protection."
CTOs must:
1. Balance innovation with compliance instead of being tempted to skirt rules and regulations. LevelBlue argues this can be done by "integrating compliance into the innovation process and adopting technologies that facilitate regulatory adherence without stifling creativity."
2. Improve supply-chain security by working directly with the CISO, and maybe the CIO too. "The CTO should implement robust security measures across the supply chain," LevelBlue says, "conducting regular security assessments of suppliers and integrating supply-chain security into the overall cybersecurity strategy."
3. Strengthen internal security measures by "adopting advanced security technologies and ensuring that security protocols are
seamlessly integrated into the technology infrastructure." Again, this would require working closely with the CISO.
Finally, CISOs should:
1. Advocate for proactive cybersecurity budgets by going straight to the CEO or the board to put forward "a compelling business case" for "the long-term benefits of proactive investments in cybersecurity."
2. Integrate AI into security strategies and work with the CTO, choosing "AI tools that offer the most significant security benefits and ensuring they are effectively deployed."
3. Strengthen external risk assessments by working with the CIO and CTO to understand supply-chain risks. Carry out "
comprehensive assessments of external partners" to make certain "they adhere to the organization's security standards."
Total organizational awareness
Robust cyber resilience cannot be accomplished without firm commitment and backing from a company's top leadership. Unfortunately, that support doesn't always materialize on its own.
Sixty-three percent of respondents in the LevelBlue survey, whatever their roles, said that "leadership doesn't prioritize cyber resilience," while 72% added that "their governance team doesn't understand it" either.
Only 40% said cybersecurity was part of IT planning; 46% said it was included in corporate-strategy meetings.
This lack of understanding among non-technical executives is a major issue in many organizations. It will take the joint efforts of the CIO, CTO and CISO to persuade the top brass to take steps toward achieving cyber resilience.
Only then can the organization begin to, as the LevelBlue Futures Report puts it, "view cyber resilience as a strategic business priority, not just a technical issue."
"The purview of the C-suite is to deliver better business outcomes, to make sure that their organization is safe and protected, " Lanowitz says. "Cyber resilience is definitely a C-suite initiative."
