Why combining IT and cybersecurity responsibilities in a leadership role is risky

Recently, LinkedIn suggested that I apply for the position of “Director of Global IT & Cyber Security”: a medium-sized company, multiple locations, well-known brand. Apart from the fact that I have enough to do at TEN Information Management, I took a look at the job description.

Why? Because I hear from the organization that the position has been vacant for almost a year. There must be a reason for that, I thought to myself. And in my opinion, the reason is clear from the job title alone.

Even without having read the job description in detail, I think that allocating such responsibilities in one role is counterproductive and even harmful – for the following reasons:

• Conflicting goals: IT ensures operation and availability, while security ensures protection and compliance. When combined in one person, security requirements are often neglected in favor of day-to-day business.
• Complexity and regulations: Threats and regulatory requirements (e.g., ISO 27001, NIS2) are constantly growing. Only specialized security teams can master these.
• Skills shortage: There are very few specialists who can cover both areas at the highest level. Separation enables more targeted development and resource utilization.
• Governance: For effective risk management and compliance, security must operate independently of IT—only then are objective controls and checks and balances possible.

All in all, I don’t think the company will find anyone in their current form who will stay in the position for long. For an IT manager, the job is too security-heavy, and for a security professional, it involves too much IT responsibility.

For sustainable resilience and security, a clear separation of IT and security responsibilities is essential.

Is your security role vacant? We can help with our InfoSec Navigator. Make an appointment now.