What cybersecurity topics do you think are critical for CIOs to be more involved in, even in orgs that have a CISO?

Note this is my individual opinion on this and it’s from my perspective as a principle Data & AI architect in the Financial Services industry working for IBM Consulting in Australia.  

There are several critical cybersecurity topics that CIOs should be deeply involved in, especially for organisations that either have or don't have a Chief Information Security Officer (CISO):

1. Zero Trust Architecture
   - For organisations without a CISO: CIOs must lead the shift toward a Zero Trust model, ensuring that the network is designed to verify every access request based on identity and behaviour, whether inside or outside the organisation.
   - For organisations with a CISO: CIOs and CISOs should collaborate on integrating Zero Trust principles across all business units and ensure alignment with digital transformation initiatives.

2. Cloud Security & Hybrid Cloud Governance
   - Without a CISO: CIOs must spearhead efforts to secure cloud infrastructure, including data encryption, identity management and access controls while ensuring that compliance with industry standards (like ISO 27001, GDPR, etc.) is maintained.
   - With a CISO: CIOs should work with the CISO to implement and regularly audit cloud security policies, ensuring cloud-native security practices are embedded in both public and hybrid cloud strategies.

3. Identity and Access Management (IAM)
   - Without a CISO: CIOs will need to take direct ownership of identity and access management to mitigate risks from internal threats, while ensuring proper employee onboarding and offboarding processes.
   - With a CISO: They should work together to advance IAM policies, including the adoption of technologies such as multi-factor authentication (MFA) and privileged access management (PAM).

4. Cyber Resilience and Incident Response
   - Without a CISO: CIOs are responsible for ensuring the organisation has a robust cyber resilience strategy in place, including disaster recovery, business continuity and effective incident response capabilities.
   - With a CISO: The CIO should ensure alignment between IT infrastructure and the security team's response plans, including tabletop exercises and active collaboration during incidents.

5. Supply Chain and Third-Party Risk Management
   - Without a CISO: CIOs must closely monitor third-party risks, ensuring that security due diligence is conducted for vendors, especially in the wake of the increasing frequency of supply chain attacks.
   - With a CISO: Collaboration is crucial to build a risk management framework that includes vendor assessments, security questionnaires, and contracts with stringent security clauses.

6. Data Privacy and Regulatory Compliance
   - Without a CISO: CIOs need to own the organisation's response to privacy regulations like GDPR, CCPA or industry-specific rules (e.g., PCI DSS for financial services), ensuring secure data management practices.
   - With a CISO: The CIO should support the CISO in leading regulatory audits, ensuring compliance requirements are met across all departments and adjusting policies as needed.

7. Artificial Intelligence and Automation in Security
   - Without a CISO: CIOs should explore the implementation of AI-driven security tools such as behavioural analytics, security information and event management (SIEM) and automated incident response to detect threats and enhance overall security posture.
   - With a CISO: The CIO and CISO can collaborate on strategic investments in AI tools for threat detection and response, leveraging analytics for faster decision-making.

8. Endpoint Security and Remote Work Threats
   - Without a CISO: CIOs need to ensure that endpoint security measures are continuously updated, including the use of anti-malware, VPNs and secure remote access solutions for remote workers.
   - With a CISO: They should focus on creating a unified endpoint management strategy and ensuring the workforce is trained on best practices for secure remote work.

9. Ransomware Defence and Recovery
   - Without a CISO: CIOs must lead the organisation's defence against ransomware by implementing proper backups, segmenting networks and ensuring that employees are trained on phishing prevention.
   - With a CISO: The CIO and CISO should collaborate on establishing an end-to-end ransomware response plan, which includes not only technical solutions but also legal, PR and financial preparedness.

10. Cybersecurity Culture and Training
   - Without a CISO: CIOs need to build a cybersecurity-conscious culture, ensuring that security awareness training is a priority across the organisation.
   - With a CISO: Both can partner to develop and refine training programs that address emerging threats like social engineering, phishing and insider risks.

IBM Consulting emphasises a collaborative approach to cybersecurity where CIOs work alongside their IT teams, third-party vendors and where applicable, their CISOs to address these critical areas.

Cybersecurity isn't just an IT issue; it's a core business risk. CIOs need to ensure that security decisions are aligned with business objectives and that cybersecurity is prioritized at all strategic levels. CIOs can help integrate cybersecurity into enterprise risk management frameworks, ensuring that leadership and the board fully understand the business impacts of cyber threats.

The CIO must be focused on the IT&DS Governance, the IT&DS resources management but also, as directly in touch with the top management, with the strategic vision and alignment to the business strategies (it is more an executive/management profile).
It is important to highlight how strict the collaboration between CIO and CISO is as they work together to meet a Corporate-grade security posture. 

In reality they are not interchangeable.

Cybersecurity governance and risk management (setting up monitoring of emerging threats), data protection and privacy compliance (standardize on data protection across all channels), incident response and recovery planning (setting up coordinated response actions and playbook), third-party vendor risk management (setting up reviews of their security controls and compliance with organizational standards).