• United States



Samira Sarraf
Regional Editor for Australia and New Zealand

CISO vs. CIO: Who runs Australian and NZ cybersecurity better?

News Analysis
Aug 08, 20214 mins
CIOCSO and CISOSecurity

New data suggest that both types of IT executives can manage the information security function, but there are differences that suggest the CISO is the better route, if organisations can afford the separate role.

cio ciso role
Credit: Thinkstock

Across Australia and New Zealand, a study from global professional association and learning organisation ISACA has found no strong differences between the security function ownership in a business being with a CISO or a CIO. For the State of Cybersecurity 2021, ISACA researchers spoke to 3,659 individuals who have cybersecurity job responsibilities, 152 of those from Australia and New Zealand.

Surprisingly, the study found there was no differences between the cybersecurity ownership and the organisational views on increased or decreased cyberattacks, confidence levels related to detecting and responding to cyberthreats, and perceptions on cybercrime reporting. So, whether there is a CIO or a CISO at the helm, the perception and confidence around the risks and importance of cybersecurity were relatively the same.

However, there were big differences depending on whether the CISO or the CIO was the executive in charge of cybersecurity. Organisations with a CISO in charge of cybersecurity had the board of directors prioritise cybersecurity more than those with a CIO in charge. The same applies to the alignment of the cybersecurity strategy with the organisational objectives; it happens more in organisations that had a CISO at the helm.

Karen Heslop, senior director of content development for ISACA, told CSO Australia that the value of cybersecurity risk assessments in Australia and New Zealand was 6% higher under a CIO than under a CISO. That was different from the pattern elsewhere in the world, but there was no obvious reason for that difference.

CISO vs. CIO in Australia and New Zealand

Generally speaking, a CIO’s role is to ensure that the systems and the information are available and increasingly to participate in business strategy through the use of technology, where a CISO’s role is to ensure the proper controls are in place, so only the right people have access and the information stays where it’s supposed to be, Heslop said—enablement vs. control.

In Australia, 97% of all organisations are small businesses which likely makes it hard to budget for having on two C-level executives and having separate systems and information security specialties in IT, Heslop said. Thus, with those smaller budgets and smaller IT teams, the CIO or IT manager will inherit the information security functions rather than having a dedicated CISO or a dedicated security team within IT. That scale greatly affect the organisational decision to have the security function report to a CISO or a CIO, she said.

Another issue is the maturity of the businesses and the related maturity on information security. More mature organisations are more apt to regularly assess their cybersecurity levels. In Australia and New Zealand, 68% do—but 32% do not.

Cybersecurity state for ANZ organisations

The study found that 62% of Australian and New Zealander organisations expect to experience a cyberattack in the next 12 months. As previously reported, recent figures from Check Point Research flagged a 153% increase in mobile malware-based attacks against Australian targets and a 38% increase in ransomware attacks—part of a 24% increase in cyberattacks against Australian targets in the first two months of 2021 against the previous four months.

Many organisations have been attacked, with 41% of respondents confirming this—not just the well-known recent cyberattacks such as the ones on Nine Network, UnitingCare Queensland, and the New Zealand Stock Exchange (NZX).

Despite the increasing volume of attacks, 72% of Australian and New Zealander respondents said they are confident in the ability of their cybersecurity teams to detect and respond to cyberthreats. And 77% of respondents noted that they believe cybersecurity training and awareness programs have a positive impact. The report also found that machine learning or robotic process automation is fully operational in a third of the respondents’ security operations, which should enable faster detection and response to attacks.

Computerworld New Zealand reported on other findings from the ISACA report specific to Australia and. New Zealand.