Corporate Tech Leaders Untangle Their Cybersecurity Roles

A few years ago, if organizations were hit with a ransomware attack, the chief information officer “would come running” to the chief information security officer for help in dealing with the aftermath, said

Lena Smart,

the CISO of database service provider

MongoDB Inc.

Now, Ms. Smart said her security department works with CIO

Mindy Lieberman

to get ahead of ransomware attacks. About 50% of the company’s threat planning simulations, in which IT plays an active role, involve ransomware scenarios, according to Ms. Smart.

Across organizations worldwide, CIOs and CISOs are redefining their relationships, a shift reflecting both a surge in high-profile cyberattacks, and cybersecurity’s steady rise to the top of CIOs’ priorities—the result of continuing IT modernization, analysts say. In the most common corporate structure, CISOs report to CIOs.

“It is cybersecurity. …That is the highest priority,”

Chris Howard,

chief of research at technology research and consulting firm

Gartner Inc.,

told The Wall Street Journal earlier this year.

The accelerated adoption of cloud computing and cloud-based software in enterprise technology environments has also made the cloud “the main target for top-tier attackers,” said Phil Venables, the CISO of

Alphabet Inc.’s

Google Cloud. 

That, too, has forged closer ties between CIOs and CISOs, as they put greater focus on protecting infrastructure across cloud environments, Mr. Venables said.

The closer ties aren’t without tension.

In some cases, CIOs and CISOs have “difficult conversations” about what priority the IT team should give to tasks like software patching and system monitoring, which are crucial for mitigating cyber threats, said

Bonnie Titone,

the CIO of utilities provider Duke Energy Corp. Those tasks can add to the workload of an IT operations team, Ms. Titone said.

The Charlotte, N.C.-based power producer moved cybersecurity under Ms. Titone’s purview about a year ago, partly in response to cyber threats like the ransomware attack that led Colonial Pipeline Co. to temporarily shut down its pipeline in 2021.

“Being in a utility, specifically one of the largest, Duke’s kind of the 800-pound gorilla,” Ms. Titone said. “We generally have a target on our back.”

Though the CISO reports to her, Ms. Titone said security has “the biggest bark in the room.” On the other hand, it is “IT’s job is to enable the company, or else you can’t build tools and rules and components. That stops you from innovating,” she said.

Jim Swanson,

the CIO of healthcare-products company

Johnson & Johnson,

says although security sits within his priorities and responsibilities, he makes sure the CISO

Marene Allison

‘s voice is heard. Ms. Allison is retiring at the end of the year, the company said, and will be succeeded by

Gary Harbison.

“I’ve always made sure that it is a prominent function, reports at my leadership team table, it’s not buried in the organization, they have an independent voice,” Mr. Swanson said. “So when I talk to our board, I talk about our operational data, and my CISO does the presentations.”

At

Adobe Inc.,

the CISO sets corporate cybersecurity policies but works with the IT organization to execute them, said

Cynthia Stoddard,

the company’s chief information officer. But there is also collaboration between them where “security may set the policy, but my team is raising, ‘Hey have you thought about this?’” Ms. Stoddard said.

Prasad Ramakrishnan,

the CIO and former CISO of software maker

Freshworks Inc.,

said IT and security have shared roles in evaluating the cybersecurity resiliency of corporate software purchases. And in securing a hybrid work environment, his joint cybersecurity and IT roles included adding a new cybersecurity layer on top of cloud-based software on company laptops.

MongoDB’s Ms. Smart said that she is often collaborating with Ms. Lieberman to secure applications developed by the company’s software engineers for internal use. “We have a lot of bespoke tools being a tech company,” she said. “If we find something and it’s got a critical vulnerability, they’ll fix it immediately. That’s the agreement.”

As the demand for corporate security leaders has grown—along with elevation and visibility of the role—there is renewed interest in the dynamics between the CIO and CISO, said

Alex Michaels,

a Gartner adviser who works with IT leaders.

Mr. Michaels recommends that CIOs and CISOs “establish clear definitions of ownership, accountability as well as roles and responsibilities,” particularly for ransomware and malware attack scenarios. 

“Regardless of the relationship between the CISO and CIO, it is important to remember that the business owners of information are ultimately accountable for protecting their own information,” he said.

— Isabelle Bousquette contributed to this article.

Write to Belle Lin at belle.lin@wsj.com

Comments are closed.