CTO vs. CISO: Who should have ultimate responsibility for cyber security?

In an environment increasingly under threat from a variety of cyber threats, who should be in charge of an organisation's cyber security?

Cyber security is now rarely out of the spotlight with high-profile incidents reported on with increasing regularity. From Equifax’s data breach and ransomware attacks on the NHS, it seems no organisation is safe.

Added to this are the huge changes that many organisations are facing and going through – disruptive technologies and competitors, new business models and mobile working practices – each of these brings its own security issues.

As cyber security incidents increase, so too does awareness at board level that this is an area that needs their close attention. The c-suite is waking up to the fact that even one incident could have a disastrous impact on their organisation’s reputation – not to mention cost them their jobs.

‘Catapulted into the boardroom’

In the past many boards have overlooked cyber security responsibilities, preferring to leave them to the ‘experts’ within the business; however, that is no longer an option. Cyber security has been catapulted into the boardroom. As a result, questions over who has ultimate responsibility for cyber security are abound. Does the buck stop with the CTO, or should the CISO have a place in the boardroom?

>See also: 5 cyber security best practices for 2018: From culture to coping with BYOD

Traditionally, CISOs have been brought into organisations to own risk management, resilience and recovery. They have predominantly come from a technology background. Indeed, many have been viewed as gate keepers who could (and would) veto activity that they deemed a security risk.

However, in an increasingly competitive and disruptive business environment, this approach is no longer sustainable. CISOs now need to balance security concerns with allowing organisations to harness the latest digital technologies in order to remain competitive and innovative. Cyber security has an increasingly important role to play in enabling and ensuring effective digital transformation.

The role of the CTO is, of course, much more wide ranging. Security has always been and will, no doubt, increasingly continue to be a core element of any CTOs role, but in reality, the CTO’s remit is too broad for them to be able to focus enough attention on cyber security.

Every organisation, from SMEs to multi-nationals, needs someone who is wholly responsible for security. Someone who can not only identify and plan for attacks, but will have the ‘playbooks’ in place to respond to and recover from cyber threats. It is whether this person, as the CISO, reports into the CTO, or whether they are a peer to him/her that is the real question.

The answer to this is of course never black and white and very much depends on context, especially in terms of the maturity, scale and complexity of an organisation.

Embracing a culture of security

Businesses which have developed with technology or digital capabilities at their core, tend to have more of an ingrained awareness of security, and an embedded culture of always considering cyber security implications.

While these organisations will still need someone to ‘own’ cyber security, the ultimate responsibility for it can often sit with the CTO, with the CISO (or similar role) reporting directly into them.

>See also: The evolution of cyber security in the wake of digitalisation

Individual strategy

For those organisations that are either less digitally native, or particularly large or complex, it often makes sense to have a CISO as a peer to the CTO. He/she can then work alongside the CTO, reporting into the board, and helping to encourage an overall culture of cyber security across the business.

This includes not only discovering what is already in place in terms of cyber security procedures, but also ensuring that the right people, processes and technology are put in place.

So, when it comes to CTOs and CISOs, businesses shouldn’t think in terms of either/or, instead, they need to think about the type of CTO and type of CISO who will work best for their organisation, taking into account its size, maturity and complexity.


Sourced by Chris Underwood, managing director of executive search and leadership development consultancy, Adastrum Consulting

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...