IT Security: Leading the Safety Effort

By Cynthia Cavendish-Carey, Vice President, C4CS

The fourth in the series, this article delves into the essential leadership roles for the two distinct areas for the protection of data and IT assets: IT Security and Information Technology.

There are typically two roles that lead these groups within a company.

  1. Chief Information Security Office (CISO): A senior-level executive with a risk-management mentality, typically reporting to the Chief Executive Officer (CEO) and responsible for developing, implementing and overseeing a robust information security program. This includes protocols and policies to protect all organizational systems, assets and communications from internal and external threats. This role must be informed as to where all data resides throughout the enterprise in order to assure that practices will comprehensively address safety and security. Whenever new systems and technology equipment are under consideration, the CISO should be an essential part of the due diligence and decision-making process.
  2. Chief Information Officer (CIO): Also usually reporting to the CEO, this executive is accountable for managing and implementing all information and computer technology (i.e., systems, hardware, and software), including the responsibility for modernizing business processes and system improvements for efficiency. Further, the CIO is charged with making certain that all business processes are running smoothly in order to achieve business goals and objectives.

With new threats emerging every day, the CISO’s judgment is critical to ensuring that the Board of Directors and C-level executives are informed as to existing dangers within current technology infrastructure as well as those that could pose a hazard with new equipment and protocols. Although this role can sometimes appear to be somewhat of a roadblock to “progress,” their fundamental role is the protection of the enterprise and its business interests and should be viewed as such.

Rather than being perceived as adversarial relationships (as well as sometimes being seen as competing with other C-level roles), the CISO and CIO roles must work in partnership with one another even though they have very different responsibilities. These team members typically have certifications for each of their roles, including Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Government Chief Information Officer (CGCIO) certifications.

Both positions often require a hefty percentage of a large corporation’s payroll. So, what if a mid- or small-sized company needs but simply cannot afford one or both functions internally?

Outsourcing is a solid option for companies that do not have the resources or structure to support having these jobs embedded. There are many organizations that offer virtual CISO or CIO services. In many cases, this is not only an affordable alternative, but it also brings a level of expertise that could not be achieved with a direct hire.

Company leadership considering outsourcing as a viable alternative should look at costs, but also at the service provider’s ability to tailor the offering; experience within the industry sector, particularly regarding risk assessment; willingness to train employees; compliance assurance expertise and experience with regulatory bodies, multiple agencies, and customer requirements; and, a mindset toward return on investment pursuant to the company goals and objectives.

Whatever option a company chooses, it has never been more important to embrace a risk management culture where technology is concerned. Protection of data and assets is vital to survival – now more than ever.

In partnership with Catalyst Connection, Pittsburgh-based C4CS® ( provides customized crisis management and IT security consulting and training. Available group training and one-on-one crisis leadership coaching includes virtual and in-person tabletop and other crisis exercises built around realistic scenarios such as industrial accidents, cybersecurity incidents, employee and product crises among other hypothetical situations. To learn more about how C4CS can assist your organization, email: