Artificial Intelligence & Machine Learning
,
CISO Trainings
,
Next-Generation Technologies & Secure Development
Enterprises Are Reimagining Org Roles, Risk Management and Skillsets in the AI Race
As artificial intelligence and digital transformation become table stakes for today’s enterprises, CIOs and CISOs are being pulled into the spotlight, and the way these two leaders operate is changing.
See Also: eBook | Generative AI: A Game Changer for Security Skills Training
Organizations are beginning to reimagine how these leadership roles should be structured, aligned and empowered as they grapple with regulatory pressures, the unpredictable nature of AI systems and the need for operational resilience in an uncertain business climate.
Today’s CIOs are perpetual jugglers, balancing budgets and helping spur technology innovation at speed while making sure IT goals are aligned with business priorities, especially when it comes to navigating mandates from boards and senior leaders to streamline and drive efficiency through the latest AI solutions. And the solution needs to be up and running – now.
Across the table, CISOs face widening attack surfaces and unforeseen threat vectors including enterprise introduction of AI tools. Their goal is to minimize risk and protect data and infrastructure while keeping the business running.
Conflicting mandates, competing interests and even corporate reporting structures complicate the CIO-CISO relationship. But success in the AI era depends on collaboration, and some experts say that means ensuring the CISO has more authority – and doesn’t report to the CIO.
“From a corporate governance perspective, the current paradigm of having CISOs report to CIOs is akin to a defensive coordinator reporting to an offensive coordinator in football,” said Tom Kellermann, vice president of cyber risk at cybersecurity firm Hitrust. “It represents a crisis of corporate governance. CISOs must be given separate budgets and have the authority to pause new technology deployments based on risk.”
Olivia Rose, CISO and founder of Rose CISO Group, said having the CISO report to the CIO introduces the potential for “a conflict of interest.” Finding a happy medium between their potentially conflicting priorities can create discord that as the sole leader, the CIO must adjudicate, potentially sacrificing security. And when marginalized by such decisions, a CISO who reports to a CIO may back down too quickly.
“The CISO’s decisions may be affected by the reporting structure, as the CIO manages their performance reviews,” Rose said.
Rose recommends having the CISO report directly line to the CEO, and when that’s not feasible, reporting into the legal department.
“The most common concern with having the CISO report into legal is that legal is not technically inclined,” she said. “This is actually a positive as cybersecurity has become more of a business-enabling function over a technological one. It also requires the CISO to translate tech-speak into language that is understandable by non-tech leaders in the organization and incorporate business and strategic drivers.”
As organizations undergo digital transformation and incorporate AI into their tech stacks, more are creating alternate C-suite roles such as “Chief Digital Officer” and “Chief AI Officer.” In some cases, embedding CISOs in those organizations could make good business sense.
“Within that function, there tends to be a group that focuses on AI and works to partner with other teams in the organization to educate them to incorporate AI in their plans and initiatives. When these roles are in place, there tends to be more of a focus on the business over a sole focus on technology, which is what the CIO would offer. It would work well then to have the CISO report into this new function,” Rose said.
Midsize companies may not need a full-time CISO, said former CIO Isaac Sacolick, president of digital transformation learning company StarCIO and a best-selling author. Smaller organizations can thrive while still keeping security nestled inside the technology organization or by outsourcing to a managed service provider, but only if CIOs are well-versed in cybersecurity and can understand a fractional CISO or MSP’s recommendations.
“Ultimately, they’re on the hook for what gets prioritized and recommended there,” Sacolick said.
At the enterprise level, Sacolick advocates putting both the CIO and CISO on the team.
“I think healthy organizations have two people looking at the world through two different lenses. I think the power of it is when they’re spending enough time together to explain what they’re seeing,” he said. “Organizations can’t afford CIOs and CISOs not collaborating well together.”
When it comes to AI systems, the CISO’s organization may be better positioned to lead enterprise-wide transformation, Sacolick said. AI systems are nondeterministic – they can produce different outputs and follow different computational paths even when given the exact same input – and this type of technology may be better suited for CISOs.
CIOs have operated in the world of deterministic IT systems, where code, infrastructure systems, testing frameworks and automation provide predictable and consistent outputs, while CISOs are immersed in a world of ever-changing, unpredictable threats.
Risks are always present as AI models evolve, vendors change algorithms and human users apply tools inconsistently. CISOs have honed their skills for monitoring change, containing risk, establishing rollback plans and identifying anomalies over time.
“We’ve got all these sorts of deterministic things happening in the app dev world and in the infrastructure world,” Sacolick said. “But the CISO’s been living in this world of ‘I don’t know what’s going to hit me tomorrow’ for a much longer period of time.”
