The role, the challenges and the responsibilities of a CIO with Milos Topic.

Apex sat down with Vice President & Chief Information Officer of Saint Peter’s University. With 20 years of experience in leadership, innovation strategies, technology implementation and business development, Milos shares his views on the role of a CIO and  what it means to be an IT leader today.


Q: What is IT doing to support innovation?

A: IT is meant to drive innovation and enable others to do the same and take part. IT is a critical partner and a “golden thread” if you will across everything modern businesses and organizations do. As such, it is uniquely positioned to provide value to all.  Furthermore, innovation comes in many forms, but it always requires action. Thinking, planning, strategizing is all wonderful and valuable, but without action, not much will get accomplished.

Q: What is the single most important thing CIOs should be focusing on today?

A: CIOs as well as all executives should be focused on people and business growth. Modern CIOs are more customer facing and are spending time on strategy, vision and innovations across and beyond the enterprise.

Q: Should IT be a business enabler?

A: IT is business in a sense, or it is at the very least an essential part of every modern and competitive organization. As such, it should provide options to challenge old (and at times outdated) business models before others (from the outside) do it for them.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I have invested years (and continue to do so) in building and nurturing relationships across various industries, sectors and markets. These relationships paired with various events (such as those hosted by Apex) are of critical significance in staying current and learning from those who may be further along.

Q: What is the biggest challenge for a CIO today?

A: It varies across industries and different maturity models of organizations, but I do believe that attracting and retaining top talent is one of the largest priorities, it certainly is for me. In today’s world and in major markets such as greater New York City area people have options which is great for them, yet challenging to many organizations.

Q: What is the difference between a CIO and a CTO?

A: Titles vary, but in general, a CIO should be focused on customers, innovation, strategy, growth and providing value to other major areas (Finance, Marketing, Operations, Security, Legal…) while a CTO is leading the existing services and ensures smooth operations of teams.

Q: How has the role of the CIO changed over your career?

A: Visibility has increased, and so have the responsibilities. CIOs have now earned seats on top management teams among their executive leadership peers. They are also more involved in the overall business vision, strategy and direction than ever before. All of these changes have taken place across organizations that are current and future proofed, while others are still behind and are struggling across some of these areas.

Q: What advice would you give an early stage CIO joining an organization?

A: Get as close to the business as you possibly can and learn everything about it. Build relationships, provide value to others and always give more than you take, in every exchange. Spend time and resources on developing leadership, strategy and negotiation skills as they matter in all that we do, professionally and personally.

Q: How important is the relationship between a CIO and a CISO?

A: While the reporting structure is debated by some, the relationship is very important. CIO relationships with everyone they work with are of importance, from CISO, to CFO, CMO, COO…all the way to the CEO. The entire C-suite needs to be unified and transparent with each other in order for all of them to move forward and make progress.

Q: What is the largest obstacle a CIO faces when it comes to security?

A: People. Training and organizational requirements to how data is stored, used and shared. Furthermore, many organizations are not funding information security adequately and proactively.

Q: What falls under the CIO’s responsibilities when it comes to security?

A: I’m of the belief that there should be one top technology leader and that is a CIO. Everyone else should report to them with varying degrees of authority. When it comes to finance, marketing, legal…they are all ultimately under one leader while IT seems to be fragmented in some organizations. The only potential exception is an area responsible for the overall risk, liability and governance for the entire business…they could be outside IT with strong collaborative partnership with the CIO and their leadership team.

Q: How do you see the security landscape changing over the next 12 – 18 months and how are you preparing?  

A: Robots are taking over. From machine learning to artificial intelligence, people can’t keep up with the volume and complexity of threats so continuous investments in tools and technologies is expected. We are experimenting with robotic process automation (RPA), machine learning and will continue to stay current with what is available.  

Q: How worried are you about the “human element” when it comes to security?

A: It is the weakest link in this chain. People make mistakes in opening emails, sharing data, configuring technology (both software and hardware)…the list goes on. Cyber security awareness training should be mandatory across all organizations and should be part of one’s employment record at some point in time.


Milos Topic

Vice President & Chief Information Officer


I believe that everything begins and ends with leadership. Leaders have the greatest responsibility for the impact and influence over the people they lead and the outcomes of their organizations as a whole. Furthermore, I am passionate about IT being a trusted strategic partner and an advisor (a service broker) to the entire organization as technology must drive innovation across organizations and provide both strategic and operational business solutions.

I have 20 years of experience in leadership, innovation strategies, technology implementation & business development while my formal education is a blend of science, technology and business. My journey in the Information Technology (IT) profession started in 1997 and over the past 20+ years I have worked on nearly all aspects of IT. I got underway with networking/cabling installs; tech support to programming in C++, C#, Java; web development; system/network security/administration to my most recent positions of leading teams of amazing people providing technology solutions and services while supporting a multitude of organizational needs. Finally, it is essential to always focus on people first, as they matter the most in everything we do.

Sara Nunez: Being a Woman In Technology

Apex sat down with Sara Nunez, award-winning global Program Management executive. With her experience transforming organizations by applying a broad range of integrated strategic execution best practices and business development initiatives, she shares her thoughts on being a Woman in Technology. 

Q: Is the lack of women in tech really a pipeline problem or is that companies are not providing the culture to cultivate and promote their women talent?

A: We need to do research on this topic. There are many factors to this challenge. 1. We were created with special attributes, just as men were created.  2. Society and Cultures have a lot to do with this issue as well. 3. We need women to unleash their potential without looking at this as competition with men. Companies are us people, therefore, it is our duty to transform and enable success with the right mix of people required regardless of them being women or men.

Q: Does the current conversation about women in tech single women out and leave men out of the solution in your organization?

A: The current conversation is needed and I do believe it is a concern for both sides.

Q: What can organizations do to get more women into senior level and executive positions? Where do you see gaps?

A: Companies are looking for talent and new skills.  We need more qualified women with thick skin to be leaders and apply for senior level positions.

Q: What can companies can do to address unconscious bias at all levels of the organization?

HR and hiring programs should measure the desired outcome and strategize to make it happen.  A balance and diversity is critical for organizations around the world.

What advice would you give to a woman considering a career in the tech industry? What do you wish you had known?

A: My mentor once told me, if you love what you do, you will be amazing at it.  If you are considering a career in the tech industry you have to love it, be an expert at it.  Spend extra time to go beyond.  You are not competing with men, you are complimenting them and together as a team you will succeed.  Be you, be a woman.

Q: What do you think is the biggest challenge for the next generation of women and how can we be stronger role models for them?

A: I think the biggest challenge is to keep up with rapid technology changes and the ability to create knowledge rather than looking for it.  Writing articles and visiting universities to share your knowledge with a new generation could give us the platform to prepare them to succeed.  We need to pay forward and push them hard.

Q: How is your organization creating programs and training for men to be better advocates for women specifically around support and sponsorship?

A: Multiple programs are in place, from Leadership Dev Programs and global assignments to mentoring and sponsorships.

Q: How can women better support other women in technology?

A: We need to excel and inspire women to follow the steps and make giant moves to be recognized and valued for who we are.

Q: It is no secret that many women in the tech industry have felt their gender has affected the way that they are perceived or treated in their role. Have you come across a situation that made you feel that way?

A: Do not allow that to happen.  We are in a company to drive results and motivate each other to succeed.  We are ONE.


Sara Nunez, IT Enterprise PMO Director

Dynamic, award-winning global Program Management executive and advisor to the C-suite who ensures strategic PMO is embedded throughout the enterprise’s DNA. Transforms organizations by applying a broad range of integrated strategic execution best practices and business development initiatives. Drives organizational goals, improves performance and efficiencies, and capitalizes on revenue-generating opportunities. Generously shares expertise to inspire a passion for learning, creating high-performance teams with intellectual and emotional connection to their work. Agile and multicultural, with expertise across a broad range of industries including telecommunications, technology, wealth management, and education.

Global Talent Shortage is Top Emerging Risk Facing Organizations

Staff shortages have escalated in the last three months to become the top emerging risk organizations face globally, according to Gartner, Inc.’s latest Emerging Risks Survey.

“Organizations face huge challenges from the pace of business change, accelerating privacy regulations and the digitalization of their industries,” said Matt Shinkman, managing vice president and risk practice leader at Gartner. “A common denominator here is that addressing these top business challenges involves hiring new talent that is in incredibly short supply.”

Table 1. Top Five Risks by Overall Risk Score: 1Q18, 2Q18, 3Q18, 4Q18

Rank 1Q18 2Q18 3Q18 4Q18
1 Cloud Computing Cloud Computing Accelerating Privacy
Talent Shortage
2 GDPR Cybersecurity
Cloud Computing Accelerating Privacy
3 Cybersecurity
GDPR Talent Shortage Pace of Change
4 Global Economic
AI/Robotics Skill Gap Cybersecurity
Lagging Digitalization
5 Social Engineering Global Economic
AI/Robotics Skill Gap Digitalization

Sixty-three percent of respondents indicated that a talent shortage was a key concern for their organization. The financial services, industrial and manufacturing, consumer services, government and nonprofit, and retail and hospitality sectors showed particularly high levels of concern in this area, with more than two-thirds of respondents in each industry signaling this as one of their top five risks.

Gartner research indicates that companies need to shift from external hiring strategies towards training their current workforces and applying risk mitigation strategies for critical talent shortages.

“Organizations face this talent crunch at a time when they are already challenged by risks that are exacerbated by a lack of appropriate expertise,” said Shinkman. “Previous hiring strategies for coping with talent disruptions are insufficient in this environment, and risk managers have a key role to play in collaborating with HR in developing new approaches.”

Talent Shortage May Exacerbate Other Key Risks

Beyond a global talent shortage, organizational leaders are grappling with a series of interrelated risks from a rapidly transforming business environment. Accelerating privacy regulation remained a key concern, dropping into second place in this quarter’s survey. Respondents indicated that the pace of change facing their organizations had emerged as the third most prominent risk, while factors related to the pace and execution of digitalization rounded out the top five emerging risks in this quarter’s survey.

Mitigation strategies to address this set of risks often come at least partially through a sound talent strategy. For example, a key Gartner recommendation in more adequately managing data privacy regulations is the appointment of a data protection officer, while both GDPR regulations and digitalization bring with them a host of specialized talent needs impacting nearly every organizational function.

“Unfortunately for most organizations, the most critical talent needs are also the most rare and expensive to hire for,” said Shinkman. “Adding to this challenge is the fact that ongoing disruption will keep business strategies highly dynamic, adding complexity to ongoing talent needs. Most organizations would benefit from investing in their current workforce’s skill velocity and employability, while actively developing risk mitigation plans for their most critical areas[…] Read more ».”



New Year’s Resolutions for CIO and Digital Transformation Leaders

Happy holidays and new year everyone! Have your final cocktails of 2018, read up on my driving digital predictions for 2019, and get ready to lead your organizations through what is likely going to be a jittery year of successes, surprises, and necessary pivots.

I’m guessing you have your 2019 plan locked and loaded, but if you’re a reader of my book Driving Digital, my articles (here and on InfoWorld and CIO) and the monthly Driving Digital Newsletter, you’ll know that roadmaps need ongoing refinement.

So with that, allow me to suggest some new year’s resolutions that you might want to bake into your 2019 plans.

Develop relationships, then drive change

If transformation is a journey, then you best be prepared to meet, learn from, question, inspire, and drive change with new people every day. These activities should occupy a healthy percent of your weekly activities especially because you need relationships and empathy before you can drive culture, behavioral, and process changes. Consider establishing a Driver’s Voice Meeting, taking steps to become an agile organization, looking for new ways to reward top performers, and seeking other practical advice for managing organizational change. The number one reason digital transformations fail is because executives fail to embrace that it’s a bottoms up transformation that will require change across the organization.

Roadmap a proactive data governance program

With the initial GDPR compliance behind us, I hope more organizations will take proactive steps and invest in data governance programs. Yes, you cannot afford to lag in your industry with data, analytics, and AI, and maybe you are already becoming a real time enterprise, but most experts agree that investing in data quality, cataloging, and access policies is a critically important step. 

Read three more of Isaac’s Driving Digital new year’s resolutions for CIOs and digital transformation leaders.


Isaac Sacolick is a former CIO and CTO and now President of StarCIO, a services company that helps businesses drive smarter, faster, and more innovative business transformations. He is the author of Driving Digital: The Leader’s Guide to Business Transformation through Technology which covers many practices such as agile, devops, and data science that are critical to successful digital transformation programs. Sacolick is a recognized top social CIO, digital transformation influencer, and blogs at Social, Agile and Transformation, InfoWorld and

Ohio Implements Data Protection Act

The state of Ohio has implemented its Data Protection Act to encourage businesses to voluntarily adopt strong cybersecurity controls to protect consumer data.

Senate Bill 220, the Data Protection Act, was sponsored by State Senators Bob Hackett (R-London) and Kevin Bacon (R-Westerville) and was signed into law in late 2018.

Senate Bill 220 provides different industry-recognized cybersecurity frameworks which a business can follow when creating its own cybersecurity program. In order to receive the benefit of the safe harbor, a business must create its own cybersecurity program.

The legislation provides an affirmative defense to a lawsuit which alleges a data breach that was caused by a business’ failure to implement reasonable information security controls.

Businesses are only required to incorporate one of the frameworks into the business’ cybersecurity program[…] Read more ».

Philadelphia University’s Cybersecurity Program Receives “Top Curriculum” in the US, an industry-leading educational research organization, has named La Salle University’s Master of Science in Cybersecurity a top 25 internet security program for 2019, and also awarded the program “best curriculum.” analyzed every online master’s program in internet security in the nation with a team of 43 industry experts, hiring managers, current students and alumni.

According to, the study leveraged “an exclusive data set comprised of interviews and surveys from current students and alumni in addition to insights gained from human resources professionals.” Their methodology weighted academic quality (academic metrics, online programming, and faculty training and credentials) at 40 percent, student success (graduate reputation, student engagement, and student services and technology) at 40 percent, and affordability (average net cost, percent of students with loans, and default rate) at 20 percent. The study incorporated current data from the Integrated Postsecondary Education Data System (IPEDS) and statistical data from the National Center for Education Statistics. Only programs from accredited nonprofit institutions were eligible.

“We are honored to be recognized as a top 25 internet security master’s program, with a special nod to our curriculum,” says Peggy McCoey, assistant professor and graduate director for La Salle’s M.S. in Cybersecurity. “We have developed a flexible, rigorous, and highly relevant program to ensure today’s students develop competencies in cybersecurity management as well as breach detection, mitigation and prevention. The Program balances both theoretical and practical aspects and draws key learnings from industry practitioners to ensure attention to ethical principles and changes related to cybersecurity.”

La Salle’s M.S. in Cybersecurity is a 100 percent online asynchronous program with three start dates and eight-week courses so students can complete two courses per semester. noted its “engaging courses in cyberwarfare, cybercrime and digital forensics” in support of its “best curriculum” designation[…] Read more ».



Is Your Data Breach Response Plan Ready?

Fifty-six percent of organizations experienced a data breach involving more than 1,000 records over the past two years, and of those, 37 percent occurred two to three times and 39 percent were global in scope, according to Experian. In 2017 in particular, there were more than 5,000 reported data breaches worldwide, and there were more than 1,500 in the U.S. alone.

In an effort to help businesses prepare for data breach response and recovery, Experian launched its new Data Breach Response Guide last month to provide in-depth strategy and tactics on how to prepare and manage incidents.

Security asked Michael Bruemmer, Vice President of Data Breach Resolution & Consumer Protection at Experian, how cybersecurity has changed recently and how enterprises can revamp their security strategies to be resilient and ready.

Security: How have typical responses to data breaches changed over the past five years?

Bruemmer: Fortunately, responses to data breaches are immensely better. There has been great progress in preparation, as 88 percent of companies say they have a response plan in place compared to just 61 percent five years ago, according to our 2018 annual preparedness study with the Ponemon Institute.

One of the biggest changes in data breach responses over the last few years is that organizations now have a breach-ready mindset and know it’s not about whether a breach will happen but rather when it will occur. Thus, many organizations now have a data breach response team in place, which is key to implementing a quick and adept response.

Businesses have also started to include public relations personnel on their data breach response teams, which has helped companies maintain more positive relationships with their stakeholders post-breach. There is still room for improvement: while companies have a plan in place, a large majority don’t practice their plans in a real-life drill setting, and the C-suite and boards are still not engaged enough in the process.

Security: What still needs to occur to improve enterprises’ data breach response protocols and practices?

Bruemmer: A few areas for improvement include actually practicing the data breach response plan and therefore, feeling confident the company can handle an incident successfully. In our 2018 annual preparedness study, only 49% of companies said their ability to respond to data breaches is/would be effective. One of the reasons may be that most boards of directors and C-suite executives are not actively involved in the data breach prep process, nor are they informed about how they should respond to an incident.

Another dynamic that requires attention, and is relatively new, is the passing of the General Data Protection Regulation (GDPR) overseas. Companies that operate internationally must understand the legislation and make sure they are equipped to handle a data breach that involves individuals globally. They should hire legal counsel who have knowledge and experience in this area and enlist partners that have multilingual capabilities and a presence in key countries. That way, operations such as notifying affected parties and setting up call centers can be executed quickly. Organizations are still catching up here.

Security: When auditing their data breach response plan, what in particular should security leaders be looking for?

Bruemmer: Businesses should conduct an audit of every component of a response plan. Security leaders should also assess whether external partners are meeting the company’s data protection standards and are up-to-date on new legislation. For example, healthcare entities should guarantee that business associate agreements (BAAs) are in place to meet the Health Insurance Portability and Accountability Act (HIPAA) requirements. Additionally, vendors should maintain a written security program that covers their company’s data. Realistically, an organization could have up to 10 different external vendors involved in a data breach response, so keeping this circle secure is important.

Security: What are the top three issues business security leaders should plan for next year?

Bruemmer: Businesses should keep an eye on artificial intelligence (AI), machine learning (ML) and cryptomining malware next year. In a continuously evolving digital landscape, advanced authentication, or added layers of security, have become increasingly important for businesses to adopt when it comes to safeguarding against potential data breaches. However, while AI and ML are helpful in predicting and identifying potential threats, hackers can also leverage these as tools to create more sophisticated attacks than traditional phishing scams or malware attacks. Criminals can use AI and ML, for example, to make fake emails look more authentic and deploy them faster than ever before. Cryptomining has also become more popular with the recent rise of Bitcoin and more than 1,500 different cryptocurrencies in existence today. Cybercriminals are taking every opportunity, from CPU cycles of computers, to web browsers, mobile devices and smart devices, to exploit vulnerabilities to mine for cryptocurrencies.

Security: Are there any key tools or strategies security leaders can use to better engage with the C-Suite?

Bruemmer: Unfortunately, the lack of engagement by the C-suite and boards seems to be an ongoing issue. In today’s climate, companies should employ a security leader in the C-suite such as a Chief Information Security Officer to ensure protection is a priority and administered throughout the organization.

There should be ongoing and frequent communication about security threats by this officer to leaders and the board. In this instance, it’s better to over-communicate rather than hold back vital information that could help mitigate potential reputation damage and revenue loss […] Read more »




Nearly Half of Americans Willing to Give Brands a Pass for a Data Breach

New data shows that the U.S. public is surprisingly forgiving despite data breaches and controversies as long as companies demonstrate good faith.

The Consumer Attitudes Toward Data Privacy and Security Survey by Janrain also found that 42 percent of U.S. consumers surveyed report at least being open to forgiving the brand, while 7% refuse to forgive brands for allowing bad actors access to their personal data. Fourteen percent have lost all faith in an organization’s ability to protect their data.Nevertheless, consumers are increasingly taking control of their data into their own hands, the survey found. For example, 71% report downloading software that protects their data privacy or otherwise helps control their web experience. But Janrain’s survey brings good news to brands that are evaluating their consent-based marketing processes and capabilities in response to regulatory requirements or to strengthen customer relations.

If given the option, most people (55%) would let companies they trust use some of their personal data for specific purposes that benefit them in clear ways, the survey found. Only 36% wouldn’t let any company use their personal data. Sixty-six percent like the idea of being able to alert companies when they’re interested in something as long as they could “switch it off” when they’re no longer interested. Only 16% aren’t interested in this even if it came with preferences control.

When Janrain probed to gain more understanding about how effective digital brands have been in using consumer data to personalize their online ads, only 18% said ads “often” seemed to understand their needs, presenting brands with an important area for improvement. The largest bulk of respondents (47%) reported that these ads do seem to understand their needs at least “sometimes” while 26% said ads “hardly ever” understand them. Nine percent said online ads “never” do.

When asked whether they’d walk away from a business that requires personal information up front (like a phone number or email address) in order to conduct business, 15% of those surveyed said “yes” while 24% said “probably.” Fifty-four said it depends on whether the business is trusted or the only option.

Sixty-six percent of those surveyed renewed their call for GDPR-like rules in the United States that force brands to provide consumers with greater privacy, security and control of their personal data. Janrain asked a similar question in May of 2018 to which 69% responded favorably to more regulation in the States. This time, Janrain’s findings show consumers not only want more regulation, they believe it will actually help in the wake of high-profile breaches and controversies affecting well-known organizations such as Yahoo!, Equifax and Facebook. Only 9% believe such laws would be ineffective while only 6% believe more regulation would be too hard on businesses and the economy […] Read more »



8 Events That Changed Cybersecurity Forever

Cyber attacks happen daily and have evolved to become a pandemic. From the first computer virus, to billion dollar data breaches at large-scale companies, we can learn a lot from cybersecurityhistory.  And while threats continue to develop, so does the defense against them. Hackers are getting smarter, and it is our job to educate ourselves on past incidents so we can better prepare for the future. Take a look at these top 8 events that changed cybersecurity and made it what it is today.

Those who cannot remember the past are condemned to repeat it.” – George Santayana

The first computer virus was created in the early 1970s and was detected on ARPANET, the predecessor to the internet. In 1988 the first computer worm was distributed, gaining mass mainstream media attention. A quarter of a century later and viruses have evolved to become a pandemic. Viruses have proliferated quickly and malware has become more complex.

Cyber attacks happen daily and are constantly evolving. From computer worms to large data breaches, attacks come in all shapes and sizes. In the past quarter century alone, cyber attacks have evolved from tiny hacks created by high-school students to state-sponsored attacks compromising presidential elections.

While threats continue to develop, so does the defense against them. It’s important to remember these past events in order to combat impending attacks. Milestone incidents are what made cybersecurity what it is today – take a look at the top 8 events that changed cybersecurity, and why they (still) matter.

Though new cyber attacks appear each day, these top 8 watershed moments had a major impact on security and have led to where we are today. Here are just a few lessons we can learn from cybersecurity history.

  1. Never assume it won’t happen to you: Anyone and everyone is susceptible when it comes to data – whether it’s stored in the cloud or on premises.
  2. Hackers come from all over: Attacks no longer comes exclusively from hackers in their parents’ basements. They have evolved geographically, advanced in sophistication, and the amount of attacks from overseas has increased drastically.
  3. Insiders are just as dangerous: Vulnerabilities now come from the inside as well. All it takes is one click on a phishing email. Educate your employees on basic cybersecurity terms so that they are able to protect themselves and the company.
  4. Hackers are not going away: With change in technology comes change in crime — and cybercriminals are working harder than ever. It’s important to always be alert and keep up with important trends in order to keep you and your organization as safe as possible.

Unfortunately, the number of cyber attacks is only going to continue increase, and the impact of those attacks is becoming more significant than ever. It’s important to arm ourselves with what we can: learn from the past and protect your data first, not last.

Uncover your biggest security risks with a data risk assessment – and see how Varonis helps protect your data from the next generation of cyber attacks.

Infographic Sources:
InfosecurityCSOVerizon Data Breach ReportWikipediaTheGuardian

Rob Sobers is a Sr. Director at cybersecurity firm Varonis. He has been writing and designing software for over 20 years and is co-author of the book Lean Ruby the Hard Way, which has been used by millions of students to learn the Ruby programming language. Prior to joining Varonis in 2011, Rob held a variety of roles in engineering, design, and professional services.

Attention CEOs: The Great CISO Renaissance is Coming

In 2015, the Boston-based security advisory firm K-logix predicted an increase of Chief Information Security Officers (CISOs) reporting to CEOs, and in 2017 the NACD provided provide guidance on boards on basic cyber security principles.  However, CISOs continue to struggle for widespread recognition as an executive officer.  Although the CISO is responsible for integrating privacy requirements into security program controls, the EU’s General Data Privacy Regulation (GDPR) introduced and catapulted a new role into the executive ranks in 2018. The regulation creates a new “Data Protection Officer (DPO)” role serving as a quasi-regulator for EU Data Privacy compliance enforcement who must report to the highest levels of management. Data Protection Officers usually fall under Compliance leadership function closely associated with the General Counsel or legal department, and are integral to the company’s data privacy program oversight.  In contrast, the CISO who is responsible for technology risk management may report through a number of executive functions depending on the industry and company. The General Counsel is no stranger to the executive table, so it should be no surprise that the new DPO role leapfrogged the CISO in the corporate hierarchy.

Although CISOs have been improving their business and risk management acumen by focusing on non-technology-based topics such as GDPR compliance, Third-Party Oversight and Enterprise Risk Management at recent security conferences, the majority of job descriptions for CISOs continue to describe both tactical and strategic duties and continue to list the role under a CIO or CTO.  In response, an increasing number of seasoned CISOs are opting for independent consulting work in the growing Gig Economy rather than struggling for budget and resources within a company only to be sacrificed when the inevitable data breach occurs. If the unique challenges with rank and responsibility continue, the role of the CISO could become a standard appendage to a company like an independent CPA firm or external counsel providing advisory guidance.  

If you are a CEO considering whether you want a CISO on your leadership team, I offer the following reminders regarding the CISO:  

  • The role of the CISO is strategic, not tactical

Some organizations proudly announce they have passed their SOC 2 independent audit report without any findings to communicate the maturity of their security program.  If those organizations were expecting a “clean” SOC 2 audit report to eliminate the need for a customer assurance program, an experienced CISO knows that a SOC 2 report can be crafted to scope out the “dust and cobwebs under the carpet” and only focus on the shiny production service or solution offered to customers.   Rarely are SOC 2 reports accepted on their face as adequate governance of an enterprise risk management program. Additional audits and evidence will likely be necessary to satisfy partner and customer inquiries.

In another example, security solution providers usually begin their sales pitch by describing a legitimate business problem.  However, they quickly shift to focusing on the product features rather than recognize the business problem in context of other risks an organization may face as the company’s executive team would do at a risk review.

The fallacy in both of these examples is the assumption that successful execution of a tactical project will translate into a strategic solution.  The truth is that the problem being solved may or may not be significant in the organization’s big picture, and the CISO should not waste time and resources on low priority problems.  By elevating the role to the strategic level, the CISO will have the appropriate context to consider operational risk challenges within the organization. For example, a survey by Soha Systems reported that 63% of data breaches – nearly two-thirds – are attributed directly or indirectly to Third-Parties according to IAPP.  If the CISO is focused exclusively on the technology used to secure products or services, the company could be missing the larger threat from the access granted to merchants, vendors and subcontractors.  The operational risk has little to do with technology and more to do with processes and permission management.

  • The role of the CISO touches the whole organization just like the Privacy Program

The privacy program and security program are complementary teams – like a right hand and left hand.  Although they serve similar functions within the organization, they are not the same. The privacy office defines the privacy requirements for the business and the security program creates and implements the controls needed to achieve those requirements.  Security and privacy programs are often combined under an Enterprise Risk Program. Much the same way a privacy program includes human resources, training, sales & marketing, corporate communications, legal & compliance, finance, and information technology stakeholders, so does the information security program.  However, the privacy program is dependent on the security team to implement the necessary controls. If the DPO reports to the CEO and/or Board of Directors, but the CISO is not at an equivalent level or is external to the organization, maintaining a current status of the security program may be more challenging than necessary due to office politics and hierarchy.  The right hand and the left hand should communicate equally with the brain to successfully perform a complex job requiring both hands, or the right hand may not know what the left hand is doing.

Similarly, if the CISO’s budget is nested within a CTO or CIO’s budget, re-allocating funds to other departments with deficient security controls is an uphill battle for the CISO.  Assume that the CISO has determined that risk associated with third-parties is the biggest risk for the company, but the procurement and/or human resources department need additional resources to screen contractors and other partners adequately.  If the CISO relies on a cost center such as the CTO or CIO to present the case to the executive team for additional funding, the message may diminish in translation, and the CIO or CTO may perceive higher priorities within the department. Providing the CISO with a seat at the table in executive team meetings will not only optimize spending decisions but will also improve collaboration and improve security and risk awareness among the executive team.

  • The role of the CISO is becoming a Regulatory Requirement

The Ponemon Institute has listed “Appointment of a CISO” as one of the factors to mitigate the cost of a data breach for several years.   Not surprisingly, regulators are beginning to require the appointment of a CISO as a compliance requirement. For example, the New York Department of Financial Services mandates “a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”)” be appointed” for each entity covered by the regulation.  Furthermore, the CISO is required to provide an annual written report to board of directors or equivalent governing body on the cybersecurity program and material cybersecurity risks.  Although the New York regulation requires an Annual report to the board, the CEO should receive regular and recurring status on the cybersecurity risks for the company. In light of the additional focus on security and data privacy generated by public outcry, similar requirements may permeate to other jurisdictions in the form of similar regulations.

  • The role of the CISO includes some Individual Professional Liability

As referenced above, audits of corporate security and data privacy programs require the individual responsible for the governance of the program be qualified for the role and maintain his or her skills through continuing education.  This control is often addressed through requiring industry recognized certifications with continuing professional education (CPE) mandates, a code of ethics and a duty to the profession as a condition of certification in the job descriptions for these roles.  Loss of a professional accreditation such as a CISSP, CISM, CISA, CRISC or C|CISO in the case of a CISO or a CIPP or CIPM in the case of a DPO are potential risks to be considered when considering a role within an organization. Both CISOs and DPOs are likely to request Director’s and Officer’s (“D&O”) Insurance / Professional Liability Coverage under the corporate policy as a condition of employment.

Under GDPR, regulatory fines for a company can reach 4% of annual turnover or 20 million EUR for a privacy breach.  Some privacy professionals view the regulation as a “stacked deck” mechanism for funneling revenues to the EU from US companies.  Impacted companies are presumed guilty under the regulation’s “Accountability Principle” and requirement to demonstrate compliance with “Security by Design” and “Security by Default.”

If that assessment is accurate, lawsuits against both companies and the officers responsible for the security and privacy program issues are likely.  Companies need to be wary of potential criminal prosecution risk associated with mishandling of protected information.  CISOs who have their professional credentials provided to regulators, government agencies and customers as evidence of their qualifications will be reluctant to have their communications filtered through another corporate officer, especially if recommendations are not implemented because of other risks.  If an independent or fractional CISO is required to carry professional liability insurance to cover regulatory fines on that scale, the premiums for that level of coverage make the costs for their services exorbitant, and the company will still need to cover their own liability insurance premiums. In-house CISOs covered under the company’s liability policy makes more fiscal sense for regulated industries to avoid paying twice for the same coverage.   Previously unregulated companies are finding themselves within the material and territorial scope of GDPR and are being introduced to compliance requirements and fines, and they are only beginning to understand the impact to their organizations.


Experienced CISOs with an appreciation for the concept of enterprise risk are venturing out to form their own advisory practices in the booming “Gig Economy” where they can choose their own clients, travel schedule, industry and risk tolerance.  If nothing changes, the trend towards “freelancing” is expected to continue. With full control over pricing and insurance for “gigs,” these freelancers are able to set their own rates commensurate with the risk associated with the opportunity. According to, 34% of the total workforce, nearly 53 million Americans were freelancers, and this number is expected to increase to 43% by 2020.  The irony is that the growth of the Gig Economy is only increasing the challenges for the CISOs who remain in corporate America. Managing risks associated with contractors increases in complexity as the number of third parties engaged by an organization increases, so a critical mass is building.   

The problem with the independent consulting option is that many CISOs really do WANT to be a part of a leadership team and would choose that option if offered to them.  These executives rely on teamwork to make the program successful and being an outsider who may or may not be able to use the name of their client as a reference diminishes the personal fulfillment and recognition in a job well done.  Creating a direct reporting relationship between the CEO and the CISO is one of the best ways to demonstrate management’s commitment to the security program, save insurance costs and increase efficiency of the security and data privacy programs.  With improved visibility to enterprise risks, CEOs can be assured their teams are working on the right problems and the security prowess of their leadership team expands through increased exposure to and collaboration with the CISO.

Donna Gallaher, CISSP, C|CISO, CIPP/E

Ms. Gallaher served as a C-Level Strategic Advisor in IT and Cyber Strategy for multiple global companies for over 15 years drawing from her previous successes in engineering, solution selling, IT operations and leadership.  She provides value to clients by thoroughly understanding business and regulatory requirements, assessing obstacles and translating technical challenges into business risks allowing technology to function as a business enabler.

Ms. Gallaher serves on the Board of Directors of the Technology Association of Georgia Information Security Society, Evanta CISO Southeast Governing Body and is active in the local ISSA and Cloud Security Alliance chapters.  She is active in the lobby efforts to shape cyber security legislation and her recent articles have been published on the National Technology Security Coalition website.

Ms. Gallaher holds CISSP, CCISO, CIPP/E and ITIL certifications and is a graduate of Auburn University with a Bachelor of Science in Electrical Engineering.