CIO x CISO: Cybersecurity Risk and Career Vulnerabilities

As cybersecurity risks and threats multiply as technology advances, the partnership between CIOs and CISOs is more crucial than ever. Industry experts gathered at The Studio to discuss the challenges they face, from managing risk to handling the personal pressures of their roles.

In the fast-moving world of cybersecurity, CIOs and CISOs find themselves in a relentless race to keep up with nefarious actors and a record-number of attacks, but also the continued technological innovation of their own organisations and a slew of new regulatory requirements.

Despite this endeavour, research shows that data breaches impacted nearly 294 million people in 2023, with an average breach cost of over US$4 million. Data breaches continue to lead to customer mistrust, brand reputation damage and a loss of revenue. For the CISO, in particular, such incidents (remediated or otherwise) often lead to burnout, shorter tenures and even criminal convictions.

In this executive briefing at The Studio in partnership with Rapid7, we brought technology and security leaders together to discuss common security challenges, why cybersecurity is increasingly a team sport, get the Rapid7 Labs view on how to keep pace with an evolving threat landscape, and discuss the criticality of real-time endpoint and network visibility, actionable intelligence and cybersecurity risk prioritisation.

Meet the panellists

With Bridgid Nzekwu moderating this roundtable discussion, the panellists included:

• Victor Murineanu, Information Security Manager, Chelsea Football Club
• Tammy Archer, CISO, Inchcape plc
• Vicky Higgin, Chief Digital and Information Officer & Executive Director, City Fibre
• Shikha Hornsey, CIO, Crown Commercial Service
• Raj Samani, SVP, Chief Scientist, Rapid7

Cybersecurity risk: overview

• The changing role of the CISO
• The CIO’s perspective: collaboration is key
• Cybersecurity risk: the importance of a unified strategy
• The role of AI and automation in cybersecurity
• Strategic prioritisation and investment
• The role of actionable intelligence
• Managing stress in cybersecurity

The changing role of the CISO

Raj Samani, SVP, Chief Scientist at Rapid7, reflects on the challenges he faced as a former CISO. He recalls that security teams often operated in isolation from the broader business, perceived merely as an IT discipline rather than an integral part of business strategy. However, the role of the CISO has evolved significantly. "Security is no longer just an insurance policy for the business," Raj notes. "It's now about adding value, especially as digitisation transforms industries like oil and gas."

The integration of operational technology with digital systems has blurred the lines that once separated them, making cybersecurity a critical component of business innovation. For Raj, the CISO's department now has the opportunity to facilitate rapid digital innovation while managing cybersecurity risks to acceptable levels. The rise of threats such as ransomware underscores the importance of this role in safeguarding the business.

The CIO's perspective: collaboration is key

Vicky, a CIO by profession, shares her perspective on the CIO-CISO relationship. She highlights the importance of collaboration, noting that in her experience, the CIO is often the first to recognise security risks and advocate for the introduction of a CISO into the organisation. 

"It's about working as peers and being collaborative," she emphasises. "The relationship must be respectful and rooted in mutual understanding."

Vicky's experience suggests that the placement of the CISO within the organisational structure—whether as a compliance function or an operational one—can influence how security measures are implemented. Regardless of where the CISO sits, the collaboration between the CIO and CISO is essential for deploying effective security strategies.

Cybersecurity risk: the importance of a unified strategy

Shikha Hornsey, CIO at Crown Commercial, echoes the sentiment that collaboration is critical. She has observed that the CIO-CISO relationship works best when both roles operate as a team, with the CISO often reporting to the CIO while maintaining a dotted line to the board or CEO. This structure ensures that security is integrated into the broader business strategy, with both parties aligned on the company's objectives.

Victor Murineanu, Information Security Manager at Chelsea Football Club, adds that the effectiveness of the CISO role depends heavily on the partnership with the CIO. He points out that the CISO's role is not just technical; it involves understanding compliance, HR, and other aspects of the business that the CIO may not typically interact with. "The evolution of the CIO-CISO relationship has moved from a technological focus to a joint strategic focus," Victor explains. "What's important is that we're aligned on the company's objectives."

The role of AI and automation in cybersecurity

As the discussion shifts to the impact of emerging technologies, Victor highlights the transformative role of AI in cybersecurity. He notes that AI has lowered the barrier to entry for cyber attackers, making it easier and cheaper to launch attacks. This has shortened the window of opportunity for defenders to detect and respond to threats, necessitating a shift in how organisations approach cybersecurity.

Victor argues that complete visibility over the network, coupled with automation, is critical for staying ahead of cyber threats. By automating parts of the cyber response process, companies can reduce the cost of breaches and improve response times. "We need to be smarter about how we use our budget," Victor asserts, emphasising the importance of efficiency in cybersecurity investments.

Strategic prioritisation and investment

Shikha builds on this by discussing the need for strategic prioritisation in cybersecurity. She agrees that AI can significantly enhance defences, but warns that the increased technical complexity of both CIO and CISO roles requires careful investment in the right technologies and people. "Having a leader who is capable and competent is key," she advises. "At the end of the day, when something happens, sometimes a human call needs to be made, particularly where it impacts customers."

Inchcape’s CISO Tammy echoes this sentiment, stressing the importance of readiness and proactive threat hunting. "It's not about reactiveness anymore," she says. "It's about understanding the threat, seeing it coming in the early phases, and being ready to respond." For Tammy, the focus should be on skills, proactive threat hunting and having playbooks ready for different scenarios.

The role of actionable intelligence

Raj emphasises the need for actionable intelligence in modern cybersecurity. He points out that the frequency of zero-day exploits has increased dramatically, making it crucial for businesses to gather intelligence that is not only relevant but also actionable. "We don't need another 300-page report," Raj argues. "What we need is to know whether a vulnerability is being exploited in the wild, and if so, how to respond quickly."

The panellists agree that real-time visibility and dynamic threat modelling are essential for staying ahead of cybersecurity risk and threats. As Tammy notes, "We need to be able to do dynamic threat modelling, understand the vulnerabilities in our environment and auto-heal issues where possible."

Managing stress in cybersecurity

The conversation touches on the personal toll that comes with holding a CISO or CIO position. Vicky shares that having the right people around her and being able to share concerns with her team and executive colleagues helps manage the stress. "Security is a team sport," she says. "It's not just one department's job to look after security."

Shikha concurs, acknowledging that the responsibility can weigh heavily on those in these roles. "Sleepless nights are part of the title," she admits. However, she also emphasises the importance of having a strong team and the ability to share concerns to alleviate some of the pressure.

Interested in this topic? Explore more thought leadership insights and in-depth Studio roundtable discussions on the CIO and CISO.