CISO vs. CIO: Who runs Australian and NZ cybersecurity better?

New data suggest that both types of IT executives can manage the information security function, but there are differences that suggest the CISO is the better route, if organisations can afford the separate role.

cio ciso role

Across Australia and New Zealand, a study from global professional association and learning organisation ISACA has found no strong differences between the security function ownership in a business being with a CISO or a CIO. For the State of Cybersecurity 2021, ISACA researchers spoke to 3,659 individuals who have cybersecurity job responsibilities, 152 of those from Australia and New Zealand.

Surprisingly, the study found there was no differences between the cybersecurity ownership and the organisational views on increased or decreased cyberattacks, confidence levels related to detecting and responding to cyberthreats, and perceptions on cybercrime reporting. So, whether there is a CIO or a CISO at the helm, the perception and confidence around the risks and importance of cybersecurity were relatively the same.

However, there were big differences depending on whether the CISO or the CIO was the executive in charge of cybersecurity. Organisations with a CISO in charge of cybersecurity had the board of directors prioritise cybersecurity more than those with a CIO in charge. The same applies to the alignment of the cybersecurity strategy with the organisational objectives; it happens more in organisations that had a CISO at the helm.

Karen Heslop, senior director of content development for ISACA, told CSO Australia that the value of cybersecurity risk assessments in Australia and New Zealand was 6% higher under a CIO than under a CISO. That was different from the pattern elsewhere in the world, but there was no obvious reason for that difference.

CISO vs. CIO in Australia and New Zealand

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)