Empowering Good Governance of Cyber Security

Digitalisation is everywhere and so are cyber security incidents. With the increasing dependence on IT, the roles of the Chief Information Officer (CIO) and the Chief Information Security Officer (CISO) are crucial in safeguarding an organisation’s reputation and trustworthiness, while ensuring the integrity of its IT infrastructure. In our daily practice, we often encounter the conflation of these two crucial roles. This choice of governance leads to inefficiencies, conflicts of interest and vulnerabilities in the organisation’s security posture.

What we come across most is the CIO also taking the role of the CISO or having the CISO as a direct report. This choice might make sense for smaller businesses from a cost perspective. However, organisations that are midsize or larger organisations that often need to adhere to regulations like NIS2, DORA, GDPR and CSA, should seriously consider to structurally ensure the independence of these two roles.

The upcoming NIS2 and other European regulations explicitly define the cyber security responsibilities of the board, increasing the personal accountability of both executive and non-executive board members. This warrants their more precise attention on how to organise continuous control over this topic.

This piece outlines the seven most important arguments for why the roles of CIO and CISO should be separated to empower good cyber security.