Frank Cassano

CIO: The Next Career Step After Being The CISO? Why Not?

Welcome once again to “The risk rack”, today’s column deals with Chief Information Security Officer (CISO) career paths and if a CISOs career path includes or should include the role of Chief Information Officer Role (CIO). I believe it should and I believe that CISOs have been overlooked by companies when looking for CIO candidates. This column will attempt to demonstrate that CISOs are uniquely qualified to step into the CIO role of today.

In past eras, CIOs were primarily required to be strong leaders, be comfortable in dealing with senior management, have a strong technical background, have a strong operational background and be able to understand the companies business and apply technology to that business. While I believe all these skills are still a requirement of a CIO I believe an additional requirement has moved up the food chain and has become just as important in a CIOs profile as any of the other requirements. That requirement I believe is the ability to manage risk. Hasn’t Information Technology (IT) risk always been a primary requirement of CIO? Yes and No. Although as everyone knows it has always been a requirement it was always a secondary activity, an add-on to IT projects as they evolved not truly a strategic element of the program. There will probably be a lot of CIOs that would argue this point with me but it was true in the past and for the most part it is still true today. Unfortunately for the people that want to maintain the status quo IT risk management has taken a more prominent role as increased regulatory requirements force organizations to deal with meeting these obligations. How these organizations deal with these new obligations and who they assign to deal with these obligations will significantly impact their bottom lines.

In this new environment I believe that CISOs or IT management professionals with CISO experience should be strong candidates for the role of CIO in any organization. I believe this for a number of reasons. As noted above a CIO was and is still required to be strong leader, be comfortable in dealing with senior management, have a strong technical background, have a strong operational background and be able to understand the companies business and apply technology to that business as well as the new requirement of being able to integrate IT risk management into the IT strategy.


Most good CISOs must be strong leaders just by the nature of the task assigned to them. The CISO not only must identify risk but must guide his team to execute strategies to manage processes and activities to address them with little direct control over the IT environment.

Senior Management

CISOs also often must present risk issues to senior management including the board of directors. Some boards also leverage the CISO as the expert in terms of risk.

Strong Technical Background

Again due to the nature of their responsibility unlike many of the senior IT management team members who may need to keep up to speed on advances in one area like development, hardware, or telecommunications, the CISO must keep up to speed on all of the key areas in that there are security implications on any one of the technologies, or how they interact.

Strong Operational Background

In order to apply the appropriate level of controls for an area CISOs must be cognizant of the operational processes that use and are used by the various IT solutions so once again this is clearly an area that the CISO would have had extensive knowledge and expertise in.

Understand the Business and Apply Technology to Support

Like any senior IT leader the CISO would be involved with meeting with senior business leaders, identifying their needs and working with other senior IT leaders in determining the best way to apply technology to meet their needs.

Ability to Integrate Risk Management into the IT Strategy

The last CIO characteristic which has become a much bigger part of the role is where the candidate with the CISO background clearly has and advantage in that not only is this a core part of their current role but because it is part of their current role applying a risk management philosophy to IT management would be intuitive to them as opposed to other candidates who may have come from a purely technical track. The CISO candidate would also have had extensive experience in understanding regulatory requirements and working closely with regulators.

In conclusion I believe that I have made the case that CISO should be considered as candidates for CIO positions and that in the current environment are well positioned to meet the needs of an organization. With a CIO with a CISO background an organization can expect that their IT organization would be architected managed and structured to meet both their technical needs in a secure and efficient manner as well as be positioned to respond to any regulatory query quickly and cost effectively. So although I am not stating that all CISOs would make great CIOs or that all CISOs even want to be CIOs but that in the current environment CISOs should be strongly considered for CIO positions.

Post a Comment

Your email is never published nor shared. Required fields are marked *