CIO vs CISO
Two distinct leadership functions with overlapping responsibilities, and the question every growing organisation eventually faces: do you need one, the other, or both? Here is a straight answer.
Many organisations appoint a single senior technology leader and expect them to cover everything from digital strategy to cyber security. That works at a certain scale. But as your organisation grows, as regulatory pressure increases, and as the threat landscape becomes more complex, the CIO and CISO roles require very different expertise, focus, and accountability.
Confusing the two, or expecting one person to do both indefinitely, creates gaps. Strategy gets crowded out by incident response. Security becomes reactive because the person responsible is also managing transformation programmes. Board reporting blurs.
Understanding the difference is the first step to getting the structure right.
The Chief Information Officer owns technology as a business enabler. Their job is to align IT capability and investment with what the organisation is trying to achieve: growth, efficiency, resilience, customer experience, or mission delivery. That means setting and executing the technology strategy, governing the IT function and its budget, leading digital transformation and major change, ensuring systems support operational continuity, advising the board on technology investment and risk, managing vendor relationships, and building IT capability and succession. The CIO asks: is our technology helping us do what we need to do? At VetPartners, a GBP 1.2bn PE-backed veterinary group, Starkhorn’s founding engagement was the CIO remit in full: integrating acquired businesses, stabilising platforms, and building the technology function across nine Western European countries.
The Chief Information Security Officer owns information and cyber security as a discipline. Their job is to protect the organisation’s data, systems, and operations from threats, and to ensure the organisation meets its security obligations, whether regulatory, contractual, or ethical. That means defining the security strategy and framework, identifying and managing cyber and information risk, governing controls and policies, leading incident response and business continuity, ensuring compliance with frameworks such as Cyber Essentials, ISO 27001, NIST CSF, or NIS2, reporting cyber risk to the board in plain terms, managing supply chain security risk, and building security awareness. The CISO asks: are we protected, and can we prove it? For a large charity or a privately owned business carrying sensitive customer or patient data, a CISO is not a luxury. It is the role that keeps the organisation defensible and insured.
| Dimension | CIO | CISO |
|---|---|---|
| Primary focus | Technology as a business enabler | Protection of data, systems, and information |
| Core question | Is technology helping us achieve our goals? | Are we protected, and can we prove it? |
| Strategy ownership | IT and digital strategy | Information security strategy and framework |
| Board reporting | Technology investment, performance, and roadmap | Cyber risk, incidents, and security posture |
| Key relationships | CEO, CFO, operational leaders, IT function | CIO, Legal, Compliance, Risk, IT operations |
| Typical frameworks | TOGAF, ITIL, Agile, IT governance | ISO 27001, NIST CSF, Cyber Essentials, NIS2, NCSC CAF |
| Risk lens | Operational and strategic technology risk | Cyber, information, and regulatory security risk |
| When each becomes critical | When technology decisions turn strategic and consequential, not just operational | When security risk is real and unmanaged, or obligations require formal accountability |
| Engagement model | Interim or fractional CIO | Interim, fractional, or virtual CISO (vCISO) |
| Starkhorn capability | Yes | Yes |
You need CIO leadership when technology decisions are strategic and consequential, not just operational. The signs that a CIO is overdue: technology investment is significant but there is no coherent strategy behind it; digital transformation programmes are stalling or delivering less than expected; the board cannot get a clear picture of what technology costs or what it delivers; acquisitions, mergers, or rapid growth are creating IT complexity; the IT function lacks direction, prioritisation, or commercial discipline; or you are undergoing a strategic review, regulatory scrutiny, or a transaction that requires clear IT governance.
Interim and fractional CIO leadership is particularly effective when you need to close a gap quickly, test strategic options before committing to a permanent hire, or access senior capability that is not yet financially justified full-time.
You need CISO or virtual CISO (vCISO) leadership when security risk is real and unmanaged, or when your obligations require formal accountability. The signs that a CISO is overdue: you have experienced a cyber incident, or near-miss, and the response was unstructured; cyber insurance renewal is raising questions you cannot answer; customers, commissioners, or regulators are asking for evidence of your security posture; you are pursuing ISO 27001, Cyber Essentials Plus, or NIS2 compliance; board members are asking about cyber risk and no one is giving them a clear answer; or your IT team is managing security reactively alongside everything else.
For most organisations in the GBP 30m to 4bn range, a fractional or virtual CISO provides the right level of senior security leadership without the cost of a full-time executive.
There is a stage at which having one role cover both becomes unsustainable. That threshold is lower than most organisations expect.
You likely need both CIO and CISO leadership when technology transformation and a material security risk profile exist at the same time; when a regulator, insurer, or investor requires clear separation of technology governance and security governance; when your IT function has grown to the point where operational technology leadership and security oversight are both full-time commitments; when the board wants independent assurance on security without filtering it through the same person running the transformation; or when you are operating under a framework, such as NIST CSF, ISO 27001, or NIS2, that assumes defined accountabilities.
At Starkhorn, Daniel provides both CIO and CISO leadership, either separately or in combination, depending on what the organisation needs. That flexibility removes the need to source two separate executives before you have the full picture.
Starkhorn provides interim and fractional CIO, CISO, and virtual CISO (vCISO) services to mid-market and not-for-profit organisations with 100 to 5,000 employees and turnover from GBP 30m to 4bn.
Daniel Jacobs brings 20+ years in technology and security, 15+ of them in leadership roles across complex, regulated, and fast-moving environments. His approach is built on the Embed-to-Independence method: Discover, Diagnose, Deliver, Sustain. Every engagement is designed to leave the organisation stronger than it was, not dependent on an ongoing external presence.
Current and recent engagements include Alzheimer’s Society, where Daniel is Fractional Associate Director of IT providing fractional leadership for one of the UK’s leading health charities, and VetPartners, where he served as interim CIO and CISO for a GBP 1.2bn, BC Partners-backed veterinary group of 14,000 staff across nine Western European countries and over 850 sites. Daniel is also the author of a published book and holds PRINCE2 and ITIL Foundation.
If you are uncertain whether you need a CIO, a CISO, or both, a Technology Health Check or Board Cyber Governance assessment is a practical starting point. Both are available free.
Can one person do both the CIO and CISO role?
Yes, and many organisations operate that way, particularly at smaller scale or during a transition. A senior technology leader with both strategic and security credentials can hold both accountabilities. The risk is that one dimension crowds out the other: transformation demands consume the time needed for security governance, or a security incident absorbs focus that should be on strategy. When both demands are consistently material, separating the roles gives each the attention it requires. Starkhorn can provide both, either as one engagement covering both remits, or as two distinct leadership streams.
What is a virtual CISO (vCISO) and how does it differ from a fractional CISO?
The terms are often used interchangeably, and in practice the distinction is minor. A virtual CISO typically implies a predominantly remote or advisory engagement, providing senior security leadership without a physical presence in the organisation. A fractional CISO implies a part-time but embedded role, with regular on-site or active involvement. Both give you access to senior CISO-level expertise without the cost of a full-time executive. Starkhorn provides both models, structured around what the organisation actually needs.
Does a not-for-profit or charity need a CISO?
If you hold sensitive data, accept payments, or are subject to regulatory obligations, the answer is almost certainly yes. Charities and not-for-profit organisations are active targets for cyber attack, and many operate with a security posture that does not match their actual risk exposure. A fractional or virtual CISO gives you the governance, the policies, and the board-level reporting you need, at a cost that fits the organisation. Starkhorn currently works with Alzheimer’s Society in a fractional technology leadership role, and understands the specific constraints and obligations of the not-for-profit sector.
How quickly can Starkhorn start?
Daniel can be briefed within 24 hours and start within days. There is no lengthy procurement process, no team to onboard, and no delay while a large firm assembles a delivery team. The person you speak to is the person who does the work.
Does Starkhorn recommend or resell technology products?
No. Starkhorn does not resell software, take broker commission, or accept referral fees from technology vendors. All advice is independent. That independence is essential to the value of the role: a CIO or CISO who profits from the products they recommend is conflicted by definition.
Not sure which role you need?
A CIO (Chief Information Officer) owns technology strategy, systems and IT delivery, enabling the business through technology. A CISO (Chief Information Security Officer) owns information security and cyber risk, protecting that technology and the data within it. The CIO builds and runs; the CISO secures and challenges. Larger organisations need both; smaller ones can combine the mandates.
CISO means Chief Information Security Officer, the senior leader accountable for protecting an organisation’s data and systems. The CISO sets security strategy, manages cyber risk and compliance, and leads incident response. Where a full-time hire is not yet justified, this mandate is often delivered through a virtual CISO arrangement that gives board-level security oversight on a flexible basis.
| Dimension | CIO (Chief Information Officer) | CISO (Chief Information Security Officer) |
|---|---|---|
| Primary focus | Technology strategy, systems and IT delivery | Information security and cyber risk |
| Mandate | Enable the business through technology and operations | Protect data, systems and reputation from threats |
| Typical reporting line | CEO, COO or CFO | CIO, CEO, COO or the board, depending on independence |
| Key measures | Delivery, availability, cost, value and transformation | Risk reduction, compliance, resilience and incident response |
| When you need them | When technology underpins growth and operations | When cyber risk, regulation or sensitive data demand assurance |
CISO means Chief Information Security Officer. The CISO is the senior leader accountable for protecting an organisation’s data and systems: setting security strategy, managing cyber risk, ensuring compliance, and leading the response to threats and incidents. The CISO focuses on safeguarding information, whereas the CIO focuses on delivering and running technology.
Yes. A CIO (Chief Information Officer) owns technology strategy and delivery: systems, infrastructure, applications and IT operations. A CISO (Chief Information Security Officer) owns information security and cyber risk: protecting data, ensuring compliance and managing incidents. The CIO enables the business with technology, while the CISO protects it from threats.
Not always. In many organisations the CIO is more senior and the CISO reports into them, but the two roles are increasingly treated as peers. A CIO owns technology delivery; a CISO owns security and risk. Seniority depends on the organisation’s structure, sector and how cyber risk is governed at board level.
Often, but not always. In many organisations the CISO reports to the CIO, which keeps technology and security aligned. However, this can create a conflict of interest, since the CIO is judged on delivery and the CISO on risk. To preserve independence, many CISOs now report to the CEO, COO or board instead.
It depends on independence and risk appetite. Reporting to the CIO keeps security close to technology delivery but can blunt challenge. Reporting to the CEO, COO or board gives the CISO independence to escalate risk without conflict. Regulated and higher-risk organisations increasingly favour a reporting line outside the CIO function.
In the UK the CIO is typically the higher paid of the two, reflecting a broader mandate across all technology and a larger team and budget. CISO pay has risen sharply as cyber risk has grown, and senior CISOs in regulated sectors can match or exceed CIO pay. Figures vary widely by sector and organisation size.
A CIO owns internal technology strategy, systems and IT operations. A CISO owns information security and cyber risk. A CTO (Chief Technology Officer) owns the technology in the product or service the business sells, especially in software and product led firms. CIO runs the business on technology; CTO builds technology for customers; CISO protects both.
In smaller and mid-market organisations, yes. One experienced leader can hold both CIO and CISO mandates where the scale does not justify two full-time hires. This works when that leader has genuine breadth across technology delivery and security. As risk and regulation grow, the roles usually separate, often starting with fractional or interim cover.