Clarifying the Roles of Information Security: 13 Questions the CEO, CIO, and CISO Must Ask Each Other

The chief executive officer (CEO), chief information officer (CIO), and chief information security officer (CISO) walk into a bar. The CEO orders a light beer. The CIO normally orders his full-bodied stout beer but being politically savvy and noticing the CEO’s order, also orders a light beer. The CEO’s order has raised the curiosity of the CIO, and he just can’t help but ask the CEO, “Why not have a real beer, one with all the flavor and the way beers are supposed to be made?” The CEO explains that there is just as much flavor for her needs, but with a much lower personal cost to the waistline. A few seconds later, the CISO comes in and orders a double shot of whisky and downs it in one gulp. The CEO turns to the CISO and says, “Did you have a bad day, is there something I should be concerned about?” The CISO replies, “No, I just saw that you ordered a light beer and figured we would be doing some belt-tightening, the business was losing money, you would cut my budget, and we are probably going out of business. Was the CIO trying to be in touch with the needs of the CEO? Was the CISO overreacting? We have all heard many different versions of bar jokes; however, each reminds us there are simple lessons to be learned. Let’s examine the roles of the CEO, CIO, and CISO further to understand their real roles within the organization necessary to move the business forward with respect to information security.