For those who have held both CIO and CISO roles, what benefits and challenges have you experienced, and how have you managed the overlap between IT leadership and cybersecurity?

I do not hold both roles, as we have a dedicated CISO. Both of us report to the CFO, and the CISO ensures our business units adhere to cybersecurity standards, including SOX compliance. Our partnership is strong, especially when deploying new security agents across endpoints and servers. I agree that users are the biggest concern, particularly with the rise of AI, deepfakes, and social engineering. The threat landscape is constantly evolving, making user education and vigilance critical.

Handling both roles is complex, but it offers a significant benefit: I fully understand the business impact of any IT or security change. For example, I know the financial consequences of taking down our ERP system and can plan patch management and upgrades accordingly. If these roles were separated, a CISO might not have the same insight into business operations. Incident response is also more streamlined, as I am involved in every aspect. Our greatest threat remains our users, and I have experienced two business email compromise (BEC) attacks due to credential exposure. Being involved in both roles has helped me manage incident response and address these issues comprehensively.

I am relatively new to managing both CIO and CISO roles at Ellis Medicine, a small hospital that previously lacked a formal security posture. After hiring an ISO without success, I now oversee both IT and security, supported by a security engineer in a technical capacity. We are still establishing foundational elements, such as a business impact analysis and a risk register. The process is ongoing as we work to build a comprehensive security program. Also, having oversight of both IT and security simplifies budgeting and planning, allowing for more strategic decision-making.