JC's Column /

The role of the CISO, the CIO and the Board: Part 1

JC Gaillard's column on cybersecurity

In earlier articles this year, we examined the challenges the CIO faces around Information Security, the importance of the CISO’s reporting line, and the fundamental role the Board of Directors has to play to drive security transformation.

In this short series, we revisit and develop further some of these aspects in line with new reflections as well as feedback we have received on past articles

Part 1 – Digital Transformation vs. Organisational Legacy

The lines are shifting for the CISO and the CIO


The hybrid role of the CISO

Beyond the functional distinctions we analysed in our reporting line article (CISO as a Figurehead / CISO as a Fire Fighter / CISO as a Change Agent), we need to consider the positioning of the role in the “three lines of defence” model in more depth.

Our analysis of the best reporting lines for the CISO can be read and would function well in a first or second line positioning for the role. We have expanded upon this in a separate article, focused on GRC and making it work for InfoSec, in which we highlighted a functional model for Information Security to be effective and efficient in a proper second line position.

However, these reflections assumed a reasonably pure application of the concepts and a clear and traditional demarcation between first and second lines. In practice, this is rarely the case. The “three lines of defence” model is often poorly understood and poorly applied, leading to a variety of (more or less dysfunctional) hybrid models.

Judging by social media and broader online engagements, most people holding a CISO job title seem to be in a first line position, in charge of delivering technical protective measures across the IT estate. They have a strong interest in technical security matters, breaches and products.

But the reality is that the role of the CISO has been evolving organically and tactically for many years.

Many CISOs have been forced to develop risk management and compliance reporting capabilities, which should normally sit in second line. This is often driven by the immaturity, irrelevance or lack of interest of the corporate Risk and Compliance functions around them. In a number of cases, this move was prompted or encouraged by auditors or regulators. This is common in many financial firms where Risk and Compliance have been well established corporate practices for decades, but have only just woken up to Information and Cyber risk fairly recently – and are often struggling to articulate a meaningful message in that space.

In a different type of hybrid scenario, some of the few CISOs who seem to be positioned in the second line might have been forced to take on board “first line” operational duties because they were seen as the most able to deliver those successfully.

At the same time, the CISO is almost always a technologist by background – but not always a successful one. We have highlighted many times in previous articles that IT professionals are trained and incentivised to deliver functionality, not controls – and as a result, IT Security is rarely a path to the top.

Information Risk and Compliance practices developed by first line CISOs in a “bottom-up” manner are rarely comprehensive, and often poorly connected to other Risk and Compliance activities taking place across the organisation. Operational activities delivered by second line CISOs are often seen as inefficient and expensive, as many service management activities and technology platforms are often duplicated.

This is generally a symptom of broader governance problems and it is not rare to encounter large organisations where various overlapping functions, such as Information Security, Data Management and Data Protection, co-exist under different reporting lines – with little coherent coordination between them.

This is an environment where many CISOs struggle, burdened with a legacy position and legacy organisational arrangements which do not suit the needs of today’s enterprise.

The changing role of the CIO

Most surveys indicate that a majority of CISOs report to the CIO. We have stated repeatedly that it is not necessarily a problem, and that the reporting line should be determined on the basis of functional objectives instead of being driven by arbitrary separation of duties considerations. Those often create unnecessary barriers, fuel internal politics and prevent progress.

At the same time, the role of the CIO has changed and will continue to evolve over the short to mid-term. This is simply driven by the fast-paced evolution of technology over the past 10 years:

  • Cloud computing has dramatically changed the way IT is structured, delivered and supported. At the coalface, a CTO (Chief Technology Officer) is often in charge of all IT infrastructure aspects, working closely with a large array of external vendors while still dealing with all legacy systems and their problems
  • Many CIOs must respond to digital transformation challenges and data monetisation opportunities, but they may have to compete with two different types of CDO (Chief Digital/Data Officer) in translating business needs into IT requirements and delivering them. The Chief Digital Officer typically helps the business embrace digital innovation and stay ahead of competition – and often, the Chief Data Officer is charged with helping the business make the most of the data it uses, monetising it where possible using Big Data technology
  • In parallel to these changes, IT commoditisation at large has introduced layers of “shadow IT” across the enterprise that have to be managed
  • All of these factors considerably alter the background against which technology solutions have to be conceived and delivered

The CIO has to learn to deal with new stakeholders internally and externally and needs to become more of an influencer and less of a technologist. The CIO also has to learn to be less “in control” of IT and needs to develop a more structured attitude towards risk, in particular with regards to third-parties.

Large organisations are not all at the same degree of maturity in relation to these concepts, but failure to grasp the depth of such transformational challenges may confine the CIO to the management of legacy IT while the CDO role takes centre stage.


JC Gaillard

Managing Director

Corix Partners

Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.