He believes these dual-title roles can provide a more direct reporting line to the CEO or board, which is important for risk reporting. It gives the CISO greater autonomy to report to the board and helps them understand business risk because the CISO is looking across all the different parts of the organization. “It’s not just technology, it’s data, users, customers, and threats. It’s thinking about how to make the business resilient, and the board and the CEO need to have that transparency and the ability to work bilaterally with the CISO,” Pasteris tells CSO.

Holding both roles also helps harmonize the mission of driving business efficiencies while keeping the organization secure, which can sometimes be at odds. Additionally, CISOs understand what the business outcomes need to be and where the business risk is as well. “We have an ability to bring all that together and it becomes really valuable to the organization. That’s why you’re seeing the CISO start to move up to the COO role,” Pasteris tells CSO.

One of the other distinguishing features of the CISO role is that it’s both a provider and consumer of security services, putting it in a somewhat unique position to understand the development pipeline for engineering, the marketing stack, what the sales team is using and so on, says Chad McDonald, COO at Radiant Logic.