Under pressure from regulations such as the NIS 2 directive, SMEs and ETIs are asking their CIO to carry out cybersecurity missions, due to lack of sufficient financial means to recruit a CISO.
Cybersecurity is becoming trendy among CIOs. More and more people are training in this area to remain attractive on the job market. This is the case of David Wijnker, external CIO made available by Finaxim, a firm of part-time directors. “I have been a part-time CIO for four years and I work with SMEs and mid-caps. I started dealing with cybersecurity issues during a CIO mission three years ago, at the request of a client. I then trained in cybersecurity, in particular by following certifications in risk analysis such as ISO 27001 training. And I therefore also became an external CISO a year ago. If I trained in cybersecurity, it is because I observed that the companies for which I worked as CIO asked me to master the subject. And for good reason. SMEs and mid-sized companies are paying increasing attention to cyber risk without having the financial means to recruit a CISO to manage it. “It is therefore the CIO who takes the role of the CISO”.
A constrained pooling
“Clients are indeed asking me for more and more CISO skills, even before I tell them that I have any. They will, for example, ask me to check whether their information system is secure. From now on, when I meet a client, my diagnosis therefore necessarily includes a security component”, adds Stéphane Atlani, also an external CISO with ETIs and SMEs. Passionate about hacking since his teenage years, when he loved “hacking and hijacking objects”, he fortunately has the necessary skills to meet the new expectations of his clients. With them, he is now leading governance, risks and compliance and pentest missions. “I also conduct security monitoring, in particular thanks to threat intelligence publications and Cert-FR alerts, to see if my clients’ information systems could be threatened.”
According to him, it is since the emergence of cybersecurity regulations such as the NIS 2 directive, which requires more than 15,000 SMEs and their suppliers to raise their level of cybersecurity, that these expectations have emerged. Eva Nabusset, director of the Rehackt recruitment firm, specializing in cybersecurity, confirms: “Since 2022, I would say, and the cybersecurity regulations that have fallen, I have noticed that companies are on a forced march towards cybersecurity. And as soon as a subject has a connection with digital technology, cybersecurity or not, the CEO tends to automatically pass it on to the CIO.” In addition to this, SMEs and mid-sized companies often do not have the necessary budget to recruit a CISO, even on a part-time basis. “It is also for this budgetary reason that my clients ask me to carry out CISO missions”, affirms David Wijnker, who now installs EDRs and firewalls at his clients, during his CIO missions. “Then, for management teams who know little about it, a CIO is equivalent to more than a CISO: he is capable of taking care of cybersecurity as much as the electrical outlet and the website,” laughs Stéphane Atlani.
Even certain CIOs employed by ETIs, supported by a CISO, feel concerned by this phenomenon. This is the case of Romain Dachy, CIO at Domitys, a senior residences company. Aware of the importance that cyber subjects take on in his functions as CIO, he has also trained, like David Wijnker, in the ISO 27001 standard. “I also see that the CIO must increasingly absorb cybersecurity skills. This is explained by the fact that cybersecurity by design for all digital projects is gradually becoming essential, due in part to the cyber regulations which are tightening. However, these projects are supported by the CIO, which must therefore adopt a cyber posture. This is also why I trained in ISO 27001, in order to integrate this cyber skill into my activity.”
Towards a risky merger
Are the functions of DSI and CISO destined to merge? “Yes,” replies Hubert Loiseau, who is one of the rare CISOs to have subsequently become CIO, a year ago, at Campus Cyber. “There is currently a natural merger taking place in the IT professions: if a CIO does not have a cyber veneer, he will lose value on the job market. We are not going to invent a new job name to qualify the new positions which merge the missions of CIO and CISO. I think that it is just the CIO function which will absorb the cybersecurity missions among SMEs, and the suppliers of the supply chain in sectors like arms, energy, these critical sectors.”
However, a company recruiting such a hybrid profile must measure the risk. Defining the IT strategy, leading digital projects while assessing their level of security amounts to combining the roles of decision-maker and evaluator within the same function. Unscrupulous CIOs may be tempted to conduct a less than objective evaluation of their own projects. “Certainly, but the real question to ask is what do we do in a small structure that cannot have a part-time CISO? Are we still going to refuse the CIO to also do CISO? In a structure with limited resources, it is the principle of reality that must prevail. It is better to combine the functions of RSSI and CIO in a single person than to settle for just one CIO”, concludes Hubert Loiseau.
