Stay-at-home orders implemented during the Covid-19 pandemic have led to an increase in cloud computing and remote technology setups, which in turn has exposed companies to higher cybersecurity risks. As a result, some corporate cybersecurity chiefs are taking on the responsibility of overseeing all information technology. However, managing both roles can be challenging and requires a delicate balance.
Lucia Milică Stacy, the global resident CISO at cybersecurity firm Proofpoint, explains that these chief information security officers (CISOs) have a deep understanding of the cyber risks associated with a distributed tech infrastructure, thanks to their experience in general IT. She notes that while IT leaders may have broad knowledge, they may not have specialized in security.
A survey of 650 security executives conducted by Hitch Partners in April revealed that about 19% of CISOs at publicly traded companies also have responsibility for IT. In private companies, this number rises to 46%. Oren Yunger, co-founder of Silicon Valley CISO Investments, an investment group, states that while CISOs are not completely replacing chief information officers, the dual role makes sense for certain companies. Yunger adds that combining the roles of CISO and IT leader allows for operational efficiencies, particularly in tasks like patching.
The landscape has changed over the past decade, as explained by Yunger. In the past, most security chiefs reported to a company’s chief information officer or chief technology officer. However, now a significant portion of IT work is focused on security, prompting the need for CISOs to take on additional responsibilities.
Adam Glick, CISO at home-security company SimpliSafe, also assumes responsibility for IT. This arrangement enables him to integrate security objectives from the start, rather than adding security measures to existing projects. On the other hand, Gerardo Richarte, CTO at satellite operator Satellogic, expanded his role to become the CISO about four years ago. Managing both functions can be challenging for Richarte, as conflicts arise when each group wants to start a project that directly impacts the other. However, Richarte sees having both perspectives as a positive, as it allows him to find ways for the teams to collaborate.
Richarte shares an example where the IT team wanted to implement software that the security team deemed risky. However, through collaboration, they found an alternative solution that involved using an online platform instead. This avoided the need for installing a new desktop application while ensuring security and cost-efficiency.
Nirav Shah, CIO at Republic Airways, who also serves as both CISO and chief digital officer, explains that when faced with conflicting opinions, he gives priority to the security team’s perspective. Shah believes it is better to err on the side of caution than to regret it later.