This is Part 1 of a 3-part series from our newest ebook titled, "The CEO's Guide to Hiring a CISO.
Technology leadership is pivotal in driving organizations forward by strategically planning, implementing, and managing technology resources. It encompasses using technical knowledge, tools, systems, and processes to foster innovation, achieve organizational goals, and maintain a competitive edge in the marketplace.
Technology Leaders, often part of the executive team supporting the CEO, oversee the investment in and utilization of technology. This section explores the:
-
Concept of technology leadership,
-
Technology consumer and technology creator organization types,
-
Technology leadership roles appropriate for each type of organization, and
-
Key roles that comprise technology leadership, including the Chief Information Officer (CIO), Chief Technology Officer (CTO), and Chief Information Security Officer (CISO).
What is Technology Leadership?
Technology, in the context of technology leadership, refers to using technical knowledge, tools, systems, and processes to create, develop, and manage innovative solutions that drive an organization or industry forward. Technology Leadership is an executive role that encompasses the strategic planning, implementation, and management of technology resources (both human and financial) to achieve organizational goals, foster innovation, and maintain a competitive edge in the marketplace.
Technology Leadership, then, is a subcategory of executive leadership primarily concerned with an organization's investment in and use of technology to further an organization’s goals. Whether that organization primarily buys and implements technology for its own use or is a technology company that primarily creates technology products and services for other organizations to use, both usually have technology leaders overseeing these functions. Often confused with the executive leadership of a technology company (e.g., the CEO of a software company), technology leadership in this context is most often part of the leadership team that supports the CEO and is a peer to other functional leaders (CFO, CMO, CHRO, GC, etc.).
The definition of technology leadership is further narrowed to those leaders responsible for leading technology and report organizationally to a non-technology leader (most often the CEO or Division President, etc., but can be a functional leader such as the CFO in smaller companies). This would generally exclude direct reports of a technology leader unless the role achieves such significance that it often has alternative (e.g., “dotted line”) reporting to a non-technology leader, as is the case for the Chief Information Security Officer (CISO) who often has dual reporting relationships to a CIO/CTO and Legal, Internal Audit, or the Board of Directors. Also excluded would be consulting professionals whose clients are technology leaders and their organizations but themselves do not have authority and responsibility over the human and financial technology resources of those organizations.
What types of Organizations Engage Technology Leadership?
Technology use in organizations has become so ubiquitous that all types of organizations in all industries use Technology Leadership to effect the strategic planning, implementation, and management of technology resources (both human and financial) to achieve organizational goals, foster innovation, and maintain a competitive edge in the marketplace. However, to better understand technology leadership, all organizations using technology leadership can be assigned to one of two broad categories:
1. Technology Consumer - Those organizations that primarily consume technology to produce their revenue
2. Technology Creator - Those organizations that primarily create technology to produce their revenue
Technology Consumers heavily depend on Technology Creators for innovation and transformation - and spend the bulk of $4 trillion annually to compensate Technology Creators for all technology products and services (data centers, software, devices, services, communications). This is not to say that Technology Consumers don’t, at times, create technology or that Technology Creators don’t use technology created by others. But, as the categories suggest, the key differentiator is whether the primary source of revenue (e.g., greater than 50%) is derived from selling technology to other organizations or derived from selling other products and services (banking, auto, construction, etc.) that benefit from consuming technology created by others.
Defining the two broad categories of organizations that engage in technology leadership is useful in understanding the roles that comprise technology leadership.
What is a CISO?
The Chief Information Security Officer (CISO) is a senior technology executive focused exclusively on shaping an organization’s governance, risk management, and compliance posture and strategy - including digital or cybersecurity. The CISO’s team protects an organization’s digital assets from cyber threats and responds to any and all cybersecurity incidents that arise. Further, the role extends beyond mere protection; it also encompasses comprehensive cybersecurity incident management across your technology environment.
While this serves as a baseline definition for a CISO, the CISO’s role is at a crossroads because of:
-
the acceleration of cybersecurity breaches,
-
the increased usage of generative AI tools, and
-
stricter cybersecurity rules that emphasize disclosure requirements*
*Source: ASIS International
This guide will help you navigate the ever-evolving role of CISOs so that you can make an informed decision about hiring a virtual, fractional, or full-time CISO.
What is a CISO’s role within the C-Suite?
The CISO ensures that the C-suite clearly understands the cybersecurity posture of the organization. The CISO coordinates the C-level discussion regarding the strategic priorities of the Cybersecurity program. The CISO does this by providing visibility into the components of the Cybersecurity program. Visibility typically includes both the GRC (Governance, Risk, and Compliance) view focused on cyber risk and the operational technology, which encompasses the technical controls and programs mitigating cyber risk. However, some organizations may prefer to manage the operational technology aspects through a CIO who would work in concert with the CISO to implement the CISO’s strategy that protects the cybersecurity posture of an organization.
Furthermore, the CISO provides the methodology for cyber incident response plans and responsibilities across the organization. This process involves multiple C-level roles. The CISO must coordinate across those roles to ensure that the inherent and residual cyber risk is understood and that the C-suite shares appropriate actions in cyber program management.
Who does a CISO report to?
There are diverse reporting structures for the CISO role that reflect the organizational needs and emphasize the significance of cybersecurity leadership, which is directly accountable to the board or business owner. Depending on the organization type, the CISO may report to any of the following:
-
Chief Executive Officer (CEO)
-
Chief Information Officer (CIO)
-
Chief Operating Officer (COO)
-
Chief Compliance Officer (CCO)
-
Chief Administrative Officer (CAO)
-
Chief Financial Officer (CFO) or
-
Chief Security Officer.
Ultimately, the CISO is accountable to the Board or the business owner.
What kind of companies need a CISO?
Every company that uses technology to conduct business, regardless of size, can benefit from the expertise of a CISO, with considerations for full-time or fractional roles depending on your company's scale and regulatory environment. Large companies typically require a full-time CISO and small and mid-size companies can be served by a part-time or fractional CISO.
Further, the emergence of the term “vCISO” or Virtual CISO can complicate the choices and surrounding discussion. For the purposes of this document, vCISO overlaps with fractional and most often means “highly fractional,” often 1-4 hours per week in an advisory role at generally smaller companies or those with less-experienced security leadership needing a world-class mentor.
Certain regulated industries (e.g., financial services) require a CISO for regulated companies, with a virtual CISO (vCISO)* being an acceptable option (see New York State Cybersecurity Resource Center). If the confidentiality, integrity, and availability of data and the supporting systems are concerns, an organization will benefit from and often require a CISO.
* New York State Cybersecurity Requirements for Financial Services Companies can be found here. Section 500.4 Cybersecurity Governances states: “Each covered entity shall designate a CISO. The CISO may be employed by the covered entity, one of its affiliates, or a third-party service provider.”
What are the key responsibilities of a CISO?
The key responsibilities of a CISO are guided by a variety of frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). These frameworks broadly cover the cybersecurity spectrum from strategy setting and risk management to incident response and recovery. A framework ensures a robust, forward-thinking cybersecurity posture. Per NIST CSF guidelines*, the cybersecurity function must provision and manage key functions of a modern cybersecurity program: Govern, Identify, Protect, Detect, Respond, and Recover.
Specific responsibilities include:
-
Setting strategy, policy, and related execution plans
-
Security Risk management
-
Security architecture, technology, and infrastructure
-
Incident response and disclosure
-
Security Awareness and Training
-
Third-party (vendor) risk management assessments
-
Reporting to various key points of partnership and disclosure:
-
Regulatory
-
Compliance
-
Leadership
-
Board
-
Clients
-
Employees
-
Source: NIST Cybersecurity Framework 2.0
What are the key attributes of a successful CISO?
It is paramount that a CEO can identify the essential qualities of an effective CISO, including strategic insight, technical expertise, and the ability to communicate complex security issues across all organizational levels. Here is a summary of a CISO’s attributes:
-
Strategic thinking
-
Business acumen
-
Technical proficiency
-
Risk management
-
Clear Communication to all levels of the organization
-
Collaborative management style
-
Situational Awareness, and
-
Adaptability
What are some alternative titles for the Chief Information Security Officer (CISO) role?
There are a range of titles that reflect the varied nature of the CISO role and highlight the adaptability and broad scope of responsibilities critical to modern cybersecurity leadership. They include:
-
Chief Trust Officer
-
Chief Security Officer
-
Information Security Officer
-
VP of Information Security
-
Risk Management Officer
-
Technology Risk Management Officer
-
Director of Security
-
Information Assurance Officer
Download the full e-book: The CEO's Guide to Hiring a CISO
Contributors: Burke Autrey (CEO), Walt Czerminsiki (Partner), Tim Mather (Partner), Bill Alfveby (Partner).