The critical need for independent CISOs in modern organizations

Oct. 24, 2023
An effective CISO must be independent of the CIO and have their own seat at the decision-making table

Every day your company avoids a data breach or ransomware attack, remember to thank your Chief Information Security Officer (CISO). CISOs are often unsung heroes because, if they do their job right, nothing happens. Your company stays secure, and they stay out of the spotlight.

However, when something does go wrong, the CISO is the person called before the board and the one who’s accountable.

There will always be vulnerabilities, and as technology evolves, new gaps or opportunities for bad actors pop up every day. It’s impossible for a CISO to know what new technology will emerge next that allows bad actors to infiltrate their systems, but they can ensure that a company operates in compliance with all the latest policies and standards and that security is a priority, which will prepare an enterprise for an inevitable attack.

But that’s only if they’re empowered to do their job and do it well. Right now, many CISOs report to Chief Information Officers (CIOs), creating too much of a barrier for them to be effective. It’s imperative that they are separate from the CIO and have their own seat at the table to guide best practices and create a culture that treats cybersecurity as a priority.

Enforcing Customized Security Policies

An independent CISO has greater control over their organization’s cybersecurity program, allowing them to ensure that those strategies align with broader business goals and remain an organizational priority. This helps to alleviate the risk of conflict of interest that can arise when CISOs report to CIOs. For example, CIOs may want to optimize technology infrastructure, while the CISO knows that optimizing security practices is a higher priority. Autonomous CISOs are enabled to focus solely on security practices without being influenced by IT-related considerations or budgetary conflicts that are generally advocated for by CIOs.

Furthermore, independence grants the CISO a strategic role, allowing them to shape security protocols across all business functions and communicate the importance of those protocols in achieving overall business goals. In creating two distinct roles for a CISO and CIO, customers and partners alike will recognize that security is not just a check-the-box activity for their provider, but a fundamental activity that supports holistic goals and builds trust.

Providing Agency to CISOs

Essential to a CISO’s job is developing disaster recovery and business continuity plans, which are instrumental in ensuring that the business can withstand disruptions and quickly recover from IT or cyber events. By reporting directly to senior leadership, such as the CEO, CISOs are empowered to better align cybersecurity strategy with the organization's risk appetite, resulting in more effective risk management.

Moreover, CISOs can impartially evaluate and address risks that affect not only IT systems but also areas like legal compliance, reputation, and operational continuity, to further ensure a comprehensive approach to risk management. This prepares organizations for a much wider range of potential adverse events and to be able to easily minimize the impact, disruption, and downtime.

A Security-First Culture

To drive a security-first culture, enterprises must spend their available investment dollars wisely. Independent CISOs are more likely to have easier access to the funding needed to support security initiatives which, in turn, reduces resistance encountered when requesting budgets, ensuring that critical measures are adequately funded and not deprioritized for other IT-related spending. Further, cybersecurity is viewed as a holistic activity that touches all activity and operations, so, by implementing an independent CISO and reporting structure, they can help break down siloes to foster cross-functional collaboration. This is done by engaging each department to understand their unique needs and concerns, while also conveying the importance of the role that each employee plays in securing the organization.

The role of the CISO in today’s business cannot be understated. These executives work diligently behind the scenes to protect organizations from everything from data breaches to ransomware attacks. For CISOs to be most effective, though, they must be independent of the CIO and have their own seat at the decision-making table. In granting CISOs independence from CIOs, it not only bolsters security posture, but also shows the organization’s commitment to a security-first mission.

About the author: Avani Desai is a Chief Executive Officer at Schellman, the largest niche cybersecurity assessment firm in the world that focuses on technology assessments. Avani is an accomplished executive with domestic and international experience in information security, operations, P&L, oversight, and marketing involving both start-up and growth organizations.

Also passionate about strategic philanthropy, Avani sits on the board of Arnold Palmer Medical Center, Philanos, Audit Committee chairwoman at the Central Florida Foundation, and is the co-chair of 100 Women Strong, a female-only venture capitalist based giving circle that focuses on solving community-based problems specific to women and children by using data analytics and big data. Avani is also an avid runner, always looking to sign up for the next Disney marathon.

About the Author

Avani Desai | Chief Executive Officer at Schellman

Avani Desai is a Chief Executive Officer at Schellman, the largest niche cybersecurity assessment firm in the world that focuses on technology assessments. Avani is an accomplished executive with domestic and international experience in information security, operations, P&L, oversight, and marketing involving both start-up and growth organizations.

Also passionate about strategic philanthropy, Avani sits on the board of Arnold Palmer Medical Center, Philanos, Audit Committee chairwoman at the Central Florida Foundation, and is the co-chair of 100 Women Strong, a female-only venture capitalist based giving circle that focuses on solving community-based problems specific to women and children by using data analytics and big data. Avani is also an avid runner, always looking to sign up for the next Disney marathon.