The chief information officer (CIO) has always played a significant role in information security and protecting organisations against technology vulnerabilities. But in recent years, as technology has become more central to business operations, both the volume and sophistication of cyberthreats have grown. Thus, the CIO’s leadership role in cybersecurity has become increasingly important. This article examines the evolving role of the CIO in cybersecurity and why the CIO must use the proper controls and processes to ensure companywide data security.
Key Takeaways
- The CIO has always played a role in IT security and protecting enterprisewide vulnerabilities, but given increasing and more expansive cyberthreats, the CIO’s role in cybersecurity has grown.
- The growth of technology within organisations, greater technology interoperation, growing cybersecurity threats and supporting remote and hybrid work are some of the trends driving changes in the CIO’s role
- CIOs need to reduce organisational risk, including clearly defining cybersecurity-related roles and responsibilities and creating a strategy for preventing and responding to data breaches.
The Evolving Role of the CIO
In the 1990s and early 2000s, CIOs were largely tasked with overseeing core information technologies and on-premises networks. Today, CIOs must align the technology strategy with the organisation’s overall business strategy and then fulfill those technology requirements with diverse, hybrid on-premises and cloud infrastructures — while playing a vital role in enterprise risk management. A 2022 study conducted by Lenovo found that 82% of global CIOs say the role has become more challenging, compared with only two years ago.
In recent years, some companies have hired chief information security officers (CISOs) specifically dedicated to security. In other organisations, both the CISO and CIO have cybersecurity responsibilities. Yet nearly half (45%) of companies still do not employ a CISO, which means that many CIOs bear chief responsibility for enterprisewide cybersecurity. The smaller the organisation, the more likely this is to be the case.
Even if a company employs a CISO, in most cases the buck ultimately stops with the CIO, who often reports to the CEO and/or the board of directors. ‘The CIO cannot hand responsibility to the CISO entirely’, says Amanda Finch, CEO of the Chartered Institute of Information Security, in a Mitsubishi UFG Financial Group article. ‘Instead, they need to retain awareness of security strategy and ensure that it isn’t putting the organisation’s overall strategy in danger — or vice versa’.
Several changes are driving the evolution of the CIO role. Let’s examine them more closely:
Technology growth:Today, technology is being embedded in all areas of a company, from corporate strategy to finance, innovation, core operations like manufacturing and inventory management, sales, marketing and human resources/talent management. These factors contribute to the biggest change of all: the CIO’s growing participation in business strategy. Today, the CIO is commonly tasked with leading innovation, providing guidance on digital strategy and supporting business growth through technology.
Digital transformation:The increasing digitalisation of all aspects of business introduces new or emerging technologies that a CIO needs to become aware of — and fast. The CIO must be prepared to incorporate emerging technologies, such as cloud computing and AI, into their business-technology alignment thinking.
Collaboration:The CIO must partner with other departments to raise business productivity through better integration of data and processes, and to ensure that cybersecurity is embedded in all business functions. In the past, IT systems typically worked within silos. Today, most companies have more systems than ever before and more of them interoperating with one another. For example, a company might ingest data from multiple sources and then share that data among different departments for analysis, or an inventory management system might trigger a sales invoice when an item leaves the warehouse for customer delivery. Greater connectivity and interoperability mean a broader digital ecosystem that allows for a more automated, efficient business. The CIO must ensure that all those interactions and their related processes are secure.
Broader cybersecurity awareness amid growing threats:Cyberattacks can result in significant loss of revenue from disrupted business operations, as well as reputational damage. In recent years, ransomware has disrupted major operations and brought businesses to a halt, including attacks on critical infrastructure like hospitals and energy pipelines. Today, cybersecurity ranks as one of the top CIO challenges, and boards of directors are prioritising it. According to Gartner, worldwide information security and risk management spending will reach US$188.3 billion in 2023, up more than 11% from 2022. And, according to IDC, it’s growing faster in the Asia-Pacific (APAC) region: up 16.7% in 2023 to US$36 billion.
CIO Roles and Responsibilities in Cybersecurity
CIOs must clearly define their own and their teams’ cybersecurity-related roles and responsibilities, and create strategies for preventing and responding to data breaches. As cybersecurity leaders, CIOs should consider the following among their roles and responsibilities:
-
Make cybersecurity a top investment, both financially and strategically. Given the threat landscape, cybersecurity should be at the top of every CIO’s priority list. Unfortunately, there has often been a disconnect between the ranking of cybersecurity as a top priority and corporate investment in cyber-defence. But that may be changing. In an annual CIO survey from Gartner in November 2022, 66% of global respondents said they planned to increase investment in cybersecurity in 2023, making it the top priority for CIOs going into the new year. While Gartner is noted for its large-enterprise focus, companies of all sizes are concerned over cybersecurity.
-
Develop a comprehensive cybersecurity strategy that takes into account the company’s specific threat landscape. Each business practice within an organisation has its own nuances and vulnerabilities. As more business areas adapt and use technology, the CIO must know enough about those technologies and business areas to identify vulnerabilities and opportunities for intrusion or disruption. The CIO must then ensure that each business area is fully prepared to block any efforts to capitalise on those weaknesses. For example, according to Cybereason, the types of companies most likely to be affected by a ransomware attack include legal (92%), financial services (78%), manufacturing (78%) and human resources (77%).
-
Thoroughly vet and carefully manage technology partners and suppliers. The CIO should ensure that the software and systems their organisation invests in have a strong security posture and are backed by a long-term player in the technology industry. Before contracting with a vendor, the CIO should have external cybersecurity experts prepare a thorough analysis of the vendor’s security practices, including the appropriate audits, questionnaires, on-site visits and penetration tests. The products and solutions the CIO then deploys should use security strategies embracing both application components (hardware or software that defines what activities are allowed and prohibited) and operational components (process-based efforts, such as data-classification processes that identify all sensitive data residing in its cloud-computing environment) to block unauthorised network and service connections and create multiple layers of protection for the business.
-
Ensure compliance with regulations and standards.The number of regulations businesses must adhere to seems to get larger and more complex each year. That’s especially true when it comes to the personally identifiable information (PII) many businesses must collect — and cybercriminals seek. CIOs must keep abreast of the regulations they must comply with because those often change from year to year. CIOs must also be prepared to communicate their cybersecurity posture and any risk to both internal and external parties when compliance information is requested.
-
Focus on training for cybersecurity awareness. According to Verizon’s 2022 Data Breach Investigations Report, 82% of data breaches involved a human element, including incidents in which employees exposed information directly or by making a mistake that enabled cybercriminals to access the organisation’s systems. This might be accomplished through sophisticated phishing attacks, which are growing rapidly. More than 255 million phishing attacks occurred in just the first six months of 2022, a 61% increase from 2021. Education and training are key to preventing phishing attacks or other inadvertent data leaks. CIOs should drive the process of creating a cybersecurity-aware culture within their organisation, including regular testing of employees’ awareness of known threats, scams and red flags.
-
Use controls and tools to mitigate cybersecurity risk. To defend the organisation against most common IT risks, use processes and tools, such as strong passwords, controlled access to data and systems, firewalls, security software and intrusion-monitoring systems. CIOs need to ensure that systems and programs are updated regularly and that cloud-based systems comply with standards, such as SOC 1, SOC 2 Type 2, ISO 27001 and 27018, PCI DSS and PA-DSS, throughout the software development life cycle.
-
Maintain awareness. Subscribe to threat intelligence services and keep an eye on the news to stay apprised of emerging threats in real time. Share regular updates about security with the CEO, senior-level executives and the board of directors.
-
Foster ongoing communication. Open communication and good relationships can help solve complex security challenges. The CIO should work closely with other departments, such as HR, legal and compliance, to ensure that the organisation’s cybersecurity policies are integrated into overall operations. They can also build consistent communications about cybersecurity with boards. According to one Australian CIO, among the keys to successful board communications is to provide regular, transparent reports that distill relevant information and present it in the board’s language — namely, the language of business risk management. ‘They meet for three hours, and they probably have 20 hours of content to cover: mergers and acquisitions, divestitures, financials and accounting, legal risks, strategy, talent issues, a pandemic’, says the CIO. ‘The capacity left for cyber is quite small’.
-
Build world-class incident response. Even the most secure organisation can experience a security breach. Be prepared by creating a cyber-incident response plan. The plan should outline what the organisation will do in case of a data breach or other security incident, including validating that an incident occurred and how to document and communicate about it. The plan should include roles and responsibilities, reporting procedures, relationships to other policies and procedures and more, depending on the organisation developing it. Examples of such plans can be found online.
-
Secure remote workers. When the global pandemic sent many employees home to work remotely, CIOs had to figure out quickly how to secure remote work environments. Savvy cybercriminals were paying attention. According to McAfee Enterprise and FireEye, 81% of global organisations experienced increased cyberthreats during COVID-19. As we enter the third post-pandemic year, hybrid work environments have become the norm for many organisations. But a hybrid workforce can be harder to support than a fully remote workforce. And just as they did during the pandemic, cybercriminals are looking for ways to exploit security loopholes. For CIOs, that means finding technologies that enable employees to work from anywhere and promote collaboration without risking corporate security.
How NetSuite Helps Keep Organisations Secure
NetSuite takes security seriously. NetSuite Enterprise Resource Management (ERP) offers multiple layers of protection, including role-based access controls, multifactor authentication (MFA) for people, token-based authentication for applications and data encryption. Running in data centres built on the industry-leading Oracle Cloud Infrastructure (OCI), NetSuite employs constant monitoring and is staffed by a dedicated, expert security team. NetSuite security also includes leading practices around governance, risk and compliance. NetSuite is externally audited to SOC 1 Type 2 and SOC 2 Type 2 (SSAE18 and ISAE 3402) standards, while maintaining ISO 27001 and 27018, PCI DSS and PA-DSS compliance. In addition, round-the-clock monitoring and a dedicated and tenured security team backed by advanced tools, controls and policies help ensure the strongest operational data centre security.
The role of the CIO has evolved significantly over the years as CIOs have taken on more strategic responsibility. With cyberthreats occurring more often and costing organisations more than ever, CIOs must ensure that their organisations use best cybersecurity practices to safeguard networks and systems.
#1 Cloud ERP
Software
CIO Role in Cybersecurity FAQs
What are the roles and responsibilities of CIO?
Today, CIOs must align their organisation’s business strategy with its technology strategy while running diverse, hybrid technology infrastructures and playing a vital role in overall enterprise risk management efforts.
Is CIO higher than CISO?
A chief information security office (CISO) is typically directly responsible for data security. But, in most cases, the buck ultimately stops with the CIO, who often reports to the CEO and/or the board of directors.
What is the relationship between a CIO and a CISO?
The CIO and the CISO typically work together to manage responsibilities around cybersecurity within an organisation. Usually, the CISO reports to the CIO but sometimes reports directly to the CEO.
How does a CIO use technology?
A CIO typically oversees the use of technology within an organisation. However, when it comes to security, a CIO may use technology tools, such as firewalls, security software and intrusion-monitoring systems, to protect the organisation from common IT risks.