October 21 Blog

Who Should Oversee Cybersecurity in the Absence of a CISO?

​In today’s rapidly evolving cyber threat landscape, organisations face the daunting task of securing their digital assets and ensuring business continuity. Traditionally, a Chief Information Security Officer (CISO) would be responsible for this, but in their absence, which C-suite leader should take charge of cybersecurity? The debate often focuses on the Chief Operating Officer (COO), Chief Information Officer (CIO), Chief Financial Officer (CFO), or even the Chief Human Resources Officer (CHRO).
However, cybersecurity is not merely a technical or operational issue—it is a strategic imperative that affects every aspect of the business. And ultimately, the board of directors holds overarching responsibility for ensuring that cybersecurity risks are appropriately managed.
1.     The Chief Operating Officer (COO)COOs oversee the operational continuity of the business, making them naturally attuned to the importance of integrating cybersecurity into the overall risk management framework.
Advantages:

• Operational Risk Mitigation: The COO can ensure that cybersecurity protocols are woven into business continuity and disaster recovery plans.
• Process Optimization: With their focus on efficiency, the COO can implement security measures that align with day-to-day operations.

Challenges:

• Limited Cyber Expertise: While the COO can ensure operational alignment, they may lack the technical skills required to fully understand evolving cyber threats.

2.     The Chief Information Officer (CIO)The CIO manages the company’s technology infrastructure and is typically seen as the natural choice to take over cybersecurity responsibilities.
Advantages:

• Technical Proficiency: The CIO has an in-depth understanding of the IT systems that need to be secured and is well-equipped to deploy cybersecurity solutions.
• Integration with IT Strategy: The CIO can seamlessly integrate cybersecurity into the company’s broader IT and digital transformation initiatives.

Challenges:

• Human Factor Underplayed: CIOs often focus on technological defences but may overlook the importance of human behaviour and corporate culture in preventing cyber incidents.

3.     The Chief Financial Officer (CFO)Given the significant financial consequences of a cyberattack, the CFO plays an important role in understanding the financial risks and compliance obligations associated with cybersecurity.
Advantages:

• Financial Risk Focus: CFOs excel in balancing the costs of cybersecurity investments with potential financial losses from a cyber incident.
• Regulatory Compliance: CFOs are often involved in managing compliance and ensuring that the company meets relevant cybersecurity regulations.

Challenges:

• Lack of Technical Insight: The CFO’s focus on financial metrics means they may not have the technical expertise needed to drive a robust cybersecurity program.

4.     The Chief Human Resources Officer (CHRO)In a time when human error is one of the leading causes of cyber incidents, the CHRO’s role in cybersecurity is becoming more significant.
Advantages:

• Human-Centric Approach: The CHRO understands the importance of shaping a security-conscious corporate culture, ensuring that employees are aware of their role in safeguarding the organisation.
• Employee Training and Awareness: HR can lead initiatives to train employees on cybersecurity best practices, significantly reducing the risk of human error leading to breaches.

Challenges:

• Limited Technical Capabilities: While HR is critical in managing the people side of cybersecurity, the CHRO typically lacks the technical knowledge to oversee the organisation’s full security strategy.

Cybersecurity and Corporate Culture: The Role of HRCorporate culture plays a vital role in cybersecurity. Employees are often the first line of defence, and fostering a culture where cybersecurity is a shared responsibility across the organisation is critical. HR is instrumental in shaping this culture through training, awareness, and behaviour management. When employees understand that cybersecurity is everyone’s responsibility, they become more vigilant, reducing the risk of human error.
The Board of Directors: Ultimate Responsibility for CybersecurityWhile the COO, CIO, CFO, and CHRO each bring essential perspectives to managing cybersecurity risks, ultimate responsibility does not rest solely with these senior managers. In fact, the board of directors carries the final accountability for ensuring that cybersecurity risks are effectively mitigated.
The board must not only ensure that the right cybersecurity strategies are in place but also hold senior leadership accountable for implementing and maintaining those strategies. Cybersecurity is a critical business risk, just like financial performance or legal compliance, and it should be treated with the same level of oversight. As the stewards of corporate governance, board members must ensure that cybersecurity is embedded in the organisation’s overall risk management framework, allocating the necessary resources and support to the executive team.
Conclusion: A Cross-Functional and Board-Led ApproachIn the absence of a CISO, managing cybersecurity requires a cross-functional approach that leverages the strengths of the COO, CIO, CFO, and CHRO. However, it’s not enough for these roles to operate in silos. Cybersecurity must be seen as a shared responsibility across the senior leadership team, with input from all functions to ensure that technical, operational, financial, and human risks are adequately addressed.
Yet, the ultimate responsibility for cybersecurity rests not only with senior management but with the board of directors. The board must take an active role in overseeing cybersecurity strategy, ensuring that the company is prepared to defend against evolving threats. By holding the executive team accountable and providing the necessary oversight, board members ensure that cybersecurity is treated as a core business priority, safeguarding the organisation’s long-term success in an increasingly risky digital world.
Cybersecurity is no longer a technical issue—it’s a strategic one, and it demands attention at the highest levels of leadership.