CTO vs. CISO
Since 2018, I have held the role of Chief Technology Officer (CTO).
Last month, my role was expanded, combining the roles of Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).
The expansion was the result of an unforeseen personal change and not necessarily part of my career plan.
However, sometimes circumstances present an opportunity and it was certainly a gratifying “vote of confidence” in my ability. Therefore, I willingly accepted, excited by the prospect of personal development and the chance to broaden my value contribution.
With that said, I did have some reservations regarding the impact of combining the CTO and CISO, both personally and from a business perspective.
Therefore, I thought I would share my thinking, highlighting some of the benefits and concerns.
As a starting point, I feel it is important to baseline the responsibilities of the CTO and CISO.
It should be noted that these responsibilities are not consistently defined. For example, depending on the company, the CTO role can cover everything from technology operations management to technology innovation (and sometimes both).
Outlined below are the responsibilities of the CTO and CISO at my company.
Chief Technology Officer (CTO)
The Chief Technology Officer (CTO) is the executive responsible for the overarching technology strategy, including investments, architecture, engineering and external engagement.
-
Business Development: Partner with the business to build a strategy that supports the company objectives. Help to identify and realise opportunities, including new digital/data business models.
-
IT Vision and Strategy: Position IT as a differentiator, delivering a secure, reliable, efficient IT Ecosystem and new value through the creation of innovative digital/data products, services and insights.
-
Technology Governance: Establish, embed and maintain a framework of authority and accountability that defines and controls the outputs, outcomes and benefits of Information Technology, ensuring prioritised initiatives have the required structure, sponsorship and funding to succeed.
-
Technology Investments: Establish and maintain the technology investment portfolio, including the executive relationships with strategic partners, aiming to maximise the return on investment.
-
Architecture: Lead the global architecture community, establishing, embedding and maintaining a framework for the design, development, and implementation of IT/OT solutions. Includes the leadership of Business Process, Solution, Data, and Domain architects, responsible for the creation and maintenance of architecture principles, positioning, methods and models, including technical enforcement mechanisms.
-
Engineering: Lead the global engineering community, enabling the design, development, and implementation of IT/OT solutions, alongside rapid development of discovery (experimentation) initiatives. Includes the leadership of Solution, Data, Site Reliability, and DevOps engineers.
-
Innovation and External Engagement: Identify and promote technology opportunities that position the company as a market leader in Science, Technology, Engineering and Math (STEM), supporting talent acquisition and external collaboration.
-
Coaching and Mentoring: Engage in the community (internal and external) across multiple channels, looking to share, educate and inspire. Support and promote the recruitment and personal development of individuals following a career path in STEM.
Chief Information Security Officer (CISO)
The Chief Information Security Officer (CISO) is the executive responsible for developing and implementing an information security program, covering cyber, data and information security.
-
Cybersecurity Governance: Establish, embed and maintain a framework of authority and accountability for cybersecurity across Information Technology (IT), Operational Technology (OT) and relevant Business Functions, ensuring prioritised initiatives have the required structure, sponsorship and funding to succeed.
-
Cybersecurity Risk: Partner to analyse, measure and understand cybersecurity risk, identifying potential threats and vulnerabilities following a defined risk framework, including strategies to mitigate the likelihood.
-
Cybersecurity Compliance: Identify and maintain compliance with relevant global cybersecurity laws, regulations, and industry standards. Establish and maintain roles and responsibilities with key Business Functions, specifically Finance, Legal and Privacy.
-
Cybersecurity Architecture: Ensure cybersecurity policies and standards are understood and enforced throughout the design, development, and implementation of Information Technology (IT) and Operational Technology (OT) solutions. Includes the leadership of Information Security architects, responsible for the creation and maintenance of architecture principles, positioning, methods and models, including technical enforcement mechanisms.
-
Cybersecurity Operations: Continuous analysis of cybersecurity threats, incidents and investigations, maintaining the global incident response plan that defines the detect, respond and recovery processes.
-
Cybersecurity Awareness and Education: Deliver and measure cybersecurity awareness and education to improve the acumen of Elanco stakeholders, establishing a culture of security.
-
Cybersecurity Technology Foundations: The procurement, design, implementation and support of specific cybersecurity technologies/services, facilitating cybersecurity policies, standards, controls and procedures.
-
Executive Engagement: Represent cybersecurity internally and externally, partnering closely with the Executive Committee, Audit Committee and Board of Directors.
Combined CTO / CISO
As highlighted by the responsibilities, there are natural points of convergence, specifically architecture and engineering when targeting Security by Design.
However, each role also includes a range of unique responsibilities, which have the potential to be time-consuming, commonly resulting in two dedicated roles.
Outlined below are the advantages and concerns associated with a combined CTO / CISO role.
Advantages:
-
Zero Trust: As highlighted in my article “Zero Trust”, the advent of digital/data business models has resulted in new threat vectors. Zero Trust is a fundamentally different approach to IT security, moving away from the traditional “moat/castle” strategy. It places a strong emphasis on Identity, the Principle of Least Privilege, and Securing at Source. I believe a combined CTO / CISO role could help accelerate the adoption of Zero Trust by positioning a unified strategy, ensuring discipline and removing bureaucracy.
-
IT Ecosystem Knowledge: The CTO should have an unparalleled understanding of the IT Ecosystem. Although certain roles have greater domain-specific expertise, very few roles have the full end-to-end understanding, with the ability to deep dive where required. This insight provides a unique appreciation of the strengths and weaknesses, which could help identify and prioritise risks.
-
Technical Expertise: Although technical depth is not a requirement of the CISO role, the technical expertise commonly possessed by the CTO could prove invaluable. For example, “code-level” knowledge when dealing with a software-defined IT ecosystem could help identify opportunities and troubleshoot incidents, whilst ensuring appropriate context when assessing risk.
-
Delivery/Ops: Security by Design requires product/project teams to embed security into their daily activities. This can be a challenge for dedicated Information Security teams, where roles and responsibilities can become confused or ignored. The established relationships and credibility between the CTO and Delivery/Ops teams should help bridge this gap, promoting and embedding the mission of Information Security.
Concerns:
-
Equilibrium: The CTO and CISO roles work best when balancing each other. The CTO should be progressive, pushing the boundaries of what is possible. The CISO should constructively challenge, helping to manage any associated risk. With the two roles combined, a new approach would need to be defined to self-regulate.
-
Governance, Risk and Compliance (GRC): A critical part of the CISO role is Governance, Risk and Compliance (GRC), establishing a framework of authority and accountability that defines and controls the outputs, outcomes and benefits of Information Security. This is a process-led (not technology-led) responsibility, requiring a different skill set to be successful.
-
Information Security Team: Succession in Information Security is commonly associated with the CISO role. By combining the CTO / CISO role, the expectations regarding expertise and experience are reset. This would likely reduce the viable candidates, potentially impacting morale and creating retention challenges.
-
Capacity: As highlighted, the CTO and CISO roles require a significant time investment to be successful as they both include a wide range of highly visible responsibilities. A combined CTO / CISO role will undoubtedly apply additional individual pressure, potentially impacting work/life balance and wellbeing. Certainly, something to consider when looking to ensure a healthy “long-term” career.
Conclusion
Looking across the industry, it is common for start-ups and small/medium businesses to have a combined CTO / CISO role. However, it becomes less common at the enterprise level.
In a perfect world, I do believe these two roles are best delivered separately, with a strong partnership. However, business-specific context is critical (every company is different) and there are certain advantages (as highlighted) to a combined role.
As a result, I am optimistic and energised about my expanded role as a combined Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).
I recognise the need to establish and empower a strong team, as well as a clear strategy that promotes appropriate autonomy to ensure success. This will be my focus over the first few months!