Stay-at-home orders during the Covid-19 pandemic spurred new cloud computing and remote-technology setups, increasing company exposure to hackers. As a result, some corporate cybersecurity chiefs are also taking on the leadership role for all of information technology. Oversight of both groups isn’t an easy line to walk.
Having spent years in general IT, these chief information security officers understand the cyber risks of an increasingly far-flung tech infrastructure, said Lucia Milică Stacy, global resident CISO at cybersecurity firm Proofpoint.
“We’ve worked IT, we came from that background,” she said. “The difference is a lot of the IT leaders haven’t necessarily honed in on the security side.”
About 19% of CISOs at publicly traded companies also have responsibility for IT, according to a survey of 650 security executives published in April by Hitch Partners. Among private companies, 46% of CISOs hold the double role, the recruiting firm found.
CISOs aren’t displacing chief information officers en masse but for some companies, the dual hat makes sense, said Oren Yunger, a co-founder of Silicon Valley CISO Investments, an investment group. At least half of the CISOs at the portfolio companies of SVCI, have assumed responsibility for all of IT, said Yunger, who is also a partner at venture-capital firm GGV Capital.
Productivity is one reason, Yunger said. Patching, for instance, is a core security task that has traditionally been done by IT. Rolling up the two roles allows for operational efficiencies, he said.
Ten years ago, substantially all security chiefs reported to a company’s chief information officer or chief technology officer, Yunger said.
“What has changed in my opinion is that a lot of the IT work is actually doing security,” he said.
At home-security company SimpliSafe, CISO Adam Glick is also responsible for IT, which allows him to deploy technology in line with security objectives from the start, he said, rather than adding security processes and tools to existing projects.
The change isn’t one way. Some tech leaders have taken on cybersecurity responsibilities.
Gerardo Richarte,
CTO at satellite operator
expanded his role to take on the CISO title around four years ago.
Managing both functions can be difficult. Sometimes, each group wants to start a project that has a direct impact on the other, leaving Richarte to navigate conflicts, he said.
“In that sense, I think it’s positive I have the two views and I can always find a way to have the teams work together,” he said.
Recently, an IT manager at Satellogic sought approval for software that would improve how the company works with partners, but the security team thought the system would be risky, Richarte said. The two teams together found a different way to address the problem by choosing an online version of a platform that Satellogic employees and external partners could jointly use. The company didn’t need to install a new desktop application and the online platform didn’t add risks or spending, he said.
Nirav Shah, CIO at Republic Airways, who is also CISO and chief digital officer at the airline operator, said that when faced with such choices, he usually has a simple solution.
Technology teams often like to move quickly and go live with products as soon as development is completed. Security teams, though, want to conduct reviews such as penetration tests before releasing new software. Shah, a former software engineer, said he has come around to that way of thinking.
“If I’m the tiebreaker vote, then it’s probably what the security team wants,” he said. “I would much rather be cautious than sorry later on.”
—Catherine Stupp contributed to this article.
Write to James Rundle at james.rundle@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
About Author
