Since 2018, I have held the role of Chief Technology Officer (CTO).

Last month, my role was expanded, combining the roles of Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).

The expansion was the result of an unforeseen personal change and not necessarily part of my career plan.

However, sometimes circumstances present an opportunity and it was certainly a gratifying “vote of confidence” in my ability. Therefore, I willingly accepted, excited by the prospect of personal development and the chance to broaden my value contribution.

With that said, I did have some reservations regarding the impact of combining the CTO and CISO, both personally and from a business perspective.

Therefore, I thought I would share my thinking, highlighting some of the benefits and concerns.

As a starting point, I feel it is important to baseline the responsibilities of the CTO and CISO.

It should be noted that these responsibilities are not consistently defined. For example, depending on the company, the CTO role can cover everything from technology operations management to technology innovation (and sometimes both).

Outlined below are the responsibilities of the CTO and CISO at my company.

Chief Technology Officer (CTO)

The Chief Technology Officer (CTO) is the executive responsible for the overarching technology strategy, including investments, architecture, engineering and external engagement.

  • Business Development: Partner with the business to build a strategy that supports the company objectives. Help to identify and realise opportunities, including new digital/data business models.

  • IT Vision and Strategy: Position IT as a differentiator, delivering a secure, reliable, efficient IT Ecosystem and new value through the creation of innovative digital/data products, services and insights.

  • Technology Governance: Establish, embed and maintain a framework of authority and accountability that defines and controls the outputs, outcomes and benefits of Information Technology, ensuring prioritised initiatives have the required structure, sponsorship and funding to succeed.

  • Technology Investments: Establish and maintain the technology investment portfolio, including the executive relationships with strategic partners, maximising the return on investment.

  • Architecture: Analyse and evaluate the business and IT capabilities, identifying opportunities to optimise performance and continuously evolve the company towards the desired future state. Includes the leadership of Business Process, Solution, Data, and Domain architects, responsible for the creation and maintenance of architecture principles, positioning, methods and models, including technical enforcement mechanisms.

  • Engineering: The design and delivery of IT infrastructure, Operational Technology (OT), and digital/data products (internal and external), covering discovery (experimentation) through to scale and support. Includes the leadership of Solution, Data, Site Reliability, and DevOps engineers.

  • Innovation and External Engagement: Identify and promote technology opportunities that position the company as a market leader in Science, Technology, Engineering and math (STEM), supporting talent acquisition and external collaboration.

  • Coaching and Mentoring: Engage in the community (internal and external) across multiple channels, looking to share, educate and inspire. Support and promote the recruitment and personal development of individuals following a career path in STEM.

Chief Information Security Officer (CISO)

The Chief Information Security Officer (CISO) is the executive responsible for developing and implementing an information security program, covering cyber, data and information security.

  • Security Governance: Establish, embed and maintain a framework of authority and accountability that defines and controls the outputs, outcomes and benefits of Information Security, ensuring prioritised initiatives have the required structure, sponsorship and funding to succeed.

  • Cyber Risk and Cyber Intelligence: Assessment of cyber threats and threat actors following a defined risk framework, including strategies to mitigate potential attacks and harmful events that occur in cyberspace.

  • Security Operations: Continuous analysis of immediate threats, including triage processes that facilitate incident response and recovery.

  • Data Loss and Fraud Prevention: A defined strategy to detect and respond to potential data breaches, data ex-filtration transmissions, and fraudulent activities.

  • Awareness and Education: Define and implement company-wide awareness and education initiatives to improve the Information Security risk posture, promoting Security by Design. This includes close partnership with Quality Assurance, Privacy, Legal and Corporate Communications, with a focus on Executive Leadership and the Board of Directors.

  • Security Architecture: Analyse and evaluate the business and IT security posture, identifying opportunities to reduce risk and continuously evolve the company towards the desired future state. Includes the leadership of Information Security architects, responsible for the creation and maintenance of architecture principles, positioning, methods and models, including technical enforcement mechanisms.

  • Security Engineering: The design and delivery of Information Security services that secure and protect network systems, applications, and data, covering configuration/maintenance, testing/remediation, operational automation and investigations.

  • Forensic Investigations: Structured methods and tools to collect and analyse evidence related to a cyberattack, identifying the root cause and implementing relevant mitigations.

Combined CTO / CISO

As highlighted by the responsibilities, there are natural points of convergence, specifically architecture and engineering when targeting Security by Design.

However, each role also includes a range of unique responsibilities, which have the potential to be time-consuming, commonly resulting in two dedicated roles.

Outlined below are the advantages and concerns associated with a combined CTO / CISO role.

Advantages:

  • Zero Trust: As highlighted in my article “Zero Trust”, the advent of digital/data business models has resulted in new threat vectors. Zero Trust is a fundamentally different approach to IT security, moving away from the traditional “moat/castle” strategy. It places a strong emphasis on Identity, the Principle of Least Privilege, and Securing at Source. I believe a combined CTO / CISO role could help accelerate the adoption of Zero Trust by positioning a unified strategy, ensuring discipline and removing bureaucracy.

  • IT Ecosystem Knowledge: The CTO should have an unparalleled understanding of the IT Ecosystem. Although certain roles have greater domain-specific expertise, very few roles have the full end-to-end understanding, with the ability to deep dive where required. This insight provides a unique appreciation of the strengths and weaknesses, which could help identify and prioritise risks.

  • Technical Expertise: Although technical depth is not a requirement of the CISO role, the technical expertise commonly possessed by the CTO could prove invaluable. For example, “code-level” knowledge when dealing with a software-defined IT ecosystem could help identify opportunities and troubleshoot incidents, whilst ensuring appropriate context when assessing risk.

  • Delivery/Ops: Security by Design requires product/project teams to embed security into their daily activities. This can be a challenge for dedicated Information Security teams, where roles and responsibilities can become confused or ignored. The established relationships and credibility between the CTO and Delivery/Ops teams should help bridge this gap, promoting and embedding the mission of Information Security.

Concerns:

  • Equilibrium: The CTO and CISO roles work best when balancing each other. The CTO should be progressive, pushing the boundaries of what is possible. The CISO should constructively challenge, helping to manage any associated risk. With the two roles combined, a new approach would need to be defined to self-regulate.

  • Governance, Risk and Compliance (GRC): A critical part of the CISO role is Governance, Risk and Compliance (GRC), establishing a framework of authority and accountability that defines and controls the outputs, outcomes and benefits of Information Security. This is a process-led (not technology-led) responsibility, requiring a different skill set to be successful.

  • Information Security Team: Succession in Information Security is commonly associated with the CISO role. By combining the CTO / CISO role, the expectations regarding expertise and experience are reset. This would likely reduce the viable candidates, potentially impacting morale and creating retention challenges.

  • Capacity: As highlighted, the CTO and CISO roles require a significant time investment to be successful as they both include a wide range of highly visible responsibilities. A combined CTO / CISO role will undoubtedly apply additional individual pressure, potentially impacting work/life balance and wellbeing. Certainly, something to consider when looking to ensure a healthy “long-term” career.

Conclusion

Looking across the industry, it is common for start-ups and small/medium businesses to have a combined CTO / CISO role. However, it becomes less common at the enterprise level.

In a perfect world, I do believe these two roles are best delivered separately, with a strong partnership. However, business-specific context is critical (every company is different) and there are certain advantages (as highlighted) to a combined role.

As a result, I am optimistic and energised about my expanded role as a combined Chief Technology Officer (CTO) and Chief Information Security Officer (CISO).

I recognise the need to establish and empower a strong team, as well as a clear strategy that promotes appropriate autonomy to ensure success. This will be my focus over the first few months!