It’s been a challenging few months for Asda. In November 2024, the supermarket confirmed it would make sweeping staff cuts at its Leeds and Leicester head offices, with nearly 500 employees facing redundancy.
When it emerged the retailer’s chief information security officer (CISO) and head of security operations were among that number, concerned staff reportedly quizzed Asda execs on whether disbanding the senior tech team would leave the company vulnerable to a customer data breach.
Asda insists it will not. In a statement, a spokesman said: “We have a dedicated function that works hard to ensure that our internal systems and the data we hold remain secure in the face of cybersecurity challenges faced by all businesses.”
But the worried response from Asda’s workforce begs the question: in an age of digital pre-eminence, are security and information chiefs the riskiest roles to lose in a restructure? Without a dedicated leader at the helm, could organisations’ data and digital assets be exposed to new threats? And if such a move is unavoidable, how can firms minimise the danger?
Critical responsibilities
There’s no doubt that the responsibilities typically assigned to a CIO and CISO – information security, technology and IT deployment – are seen as business-critical by C-suite leaders. According to new research by Accenture, more than 40% of C-suite job postings in the UK in the past year have been data-related. One in four FTSE 100 board-level executives now say they’re proficient in technology, up 12% over the past three years.
“With almost every modern company using the cloud in some form and stakeholders radically changing how they consume services, the need for high-level IT is essential for most business operations,” says Andrew Smith, CISO at Kyocera Document Solutions UK, a global manufacturer of high-tech ceramics, electronic components, solar cells and office equipment.
While third-party providers can offer a seamless service, you need someone on the inside who works with the systems every day
The CIO and CISO are indispensable when they’re the sole strategic leads for these business functions. “Depending on how they are led, controlled and implemented, complex digitisation and IT projects can make or break a business,” he said, making it dangerous to dispose of the CIO role. “It can fundamentally change the path of a company’s success or demise.”
David Morimanno is director of identity and access management technologies at IT consultancy Xalient. He outlines the potential consequences of ditching roles like CIO or CISO.
“Without that leadership, projects can stall, operational efficiencies may suffer and critical systems can become vulnerable to cyber threats,” he warns. “Removing this role without a capable replacement leaves the organisation exposed to breaches, data theft and regulatory non-compliance, issues that can carry both financial and reputational consequences.”
Any gaps in oversight undoubtedly put organisations at risk. But this doesn’t necessarily mean the CIO role is exempt from the corporate chopping block, according to Sachin Shah, management consultant at Bain & Company.
IT is more important than ever before, but this has diminished the scope of the CIO, rather than elevating it, Shah believes. “The technology operating model is changing,” he says. “In the past, you had one person who would manage everything from applications to infrastructure to networks and telecoms to end-user computing.”
However, responsibility for tech, IT and information security is now distributed and segmented more widely across the workforce, rather than being concentrated in a single C-suite role.
Some companies are distributing these functions across multiple senior roles, rather than one, with the appointment of a chief data officer, chief digital officer and so forth, as well as a CIO. Others have introduced ‘business-product owners’ – a leader with some technology literacy who oversees the deployment of a specific technology-intensive product, with the team responding directly to the product owner rather than a CIO, Shah explains.
Some organisations are also reviewing capability sourcing strategies, he adds, to outsource more areas of IT infrastructure to third-party providers. This is particularly prevalent in managed security services.
A tricky transition
This segmentation and delegation of a CIO’s areas of responsibility has arguably made it easier to part ways with them, with less risk. However, there are still some fundamental steps any business must take before handing their CIO a redundancy notice, notes Smith.
The senior leadership team must first ask themselves some fundamental security questions. For example, how will the business risk profile be controlled and managed without a dedicated C-suite member to focus on it?
Companies must also be careful about relying too heavily on outsourcing companies without proper scrutiny, Smith adds. “Do you fully trust the outsourcing company? What are their credentials? Where will your data be stored? Remember, any outsourced IT company adds an extra layer of risk for potential cybercriminals, as an additional stakeholder now has access to your data.”
You almost always need someone who understands the business and its needs back to front, he continues. “While third-party providers often claim to offer a seamless service, you need someone on the inside who works with the business’s systems every day.”
What if the decision is unavoidable? In such cases, Morimanno says “robust planning, clear communication and a strong commitment to maintaining digital leadership are essential to navigating the transition successfully.”
Companies should first reallocate leadership responsibilities, ensuring any replacement “has both the technical expertise and the strategic vision”, he says. He also recommends that organisations “establish a digital advisory board or cross-functional leadership team to maintain oversight of critical initiatives” and conduct a comprehensive audit of the firm’s digital assets, infrastructure and existing cybersecurity measures. “Identify any gaps or vulnerabilities that might arise from the leadership change,” Morimanno advises.
Where possible, retain members of the CIO’s team, expanding their roles to maintain continuity if it is appropriate. And finally, “be transparent with employees, stakeholders and customers about the restructuring process. Explain how the company is safeguarding its digital strategy and infrastructure despite the change in leadership,” Morimanno concludes.
Business leaders who skip any of these steps are likely to find themselves facing tough questions – as Asda has learnt.
It’s been a challenging few months for Asda. In November 2024, the supermarket confirmed it would make sweeping staff cuts at its Leeds and Leicester head offices, with nearly 500 employees facing redundancy.
When it emerged the retailer’s chief information security officer (CISO) and head of security operations were among that number, concerned staff reportedly quizzed Asda execs on whether disbanding the senior tech team would leave the company vulnerable to a customer data breach.
Asda insists it will not. In a statement, a spokesman said: “We have a dedicated function that works hard to ensure that our internal systems and the data we hold remain secure in the face of cybersecurity challenges faced by all businesses.”
