top of page

What is a CISO and how does it differ from an IT administrator?

  • Jun 30
  • 3 min read
"But we have an IT person - don't they take care of security too?"

This is one of the most frequent questions we hear from company managers. The question is understandable, because both roles deal with data and computers, but behind it lies a misunderstanding that can be costly - especially now that the Cyber Security Law (CSL) sets new requirements for organisations.


The answer is simple: an IT administrator and a CISO do different jobs — one looks after the company's IT estate and keeps it running, the other defines and maintains the company's security. Both are needed, but one cannot replace the other.


Technician connects tangled white and blue network cables in a server rack, focused on configuring equipment in a data room.

CISO - an architect, not a builder


To explain the difference between an IT administrator and a CISO, a comparison with building a house (the organisation) is useful. The builder does the practical work: lays the foundations, erects the walls, connects the utilities, and later maintains and repairs them. They care that the doors open easily, that the sockets work, and that when a pipe bursts they rush to stop the leak so it doesn't flood the house.


Before the builder can start building the house, they need a project, which is prepared by the architect. The architect decides how thick the walls will be and what they will be made of, how many locks the doors will have (multi-factor authentication), and prepares training for the residents so that they don't open the door to strangers posing as Wolt couriers (phishing attacks), and so on. The CISO does not lay the walls - they ensure that everything that is and will be built is secure.


Your IT administrator is the builder of your house (company), and the CISO is the architect. If the IT administrator puts out the fires that break out in the house, the CISO foresees the fire risk before it happens and defines the measures needed to control it — smoke detectors, extinguishers, sprinklers, an evacuation plan, easy access to the electrical panel, and the locations for installing fire hydrants.


What does an IT administrator do?

An IT administrator takes care of day-to-day technical operations: computers and servers, the network, user access, backups, and software updates. This is operational, "here and now" work, without which the company could not function — but it is neither strategy nor legal compliance.


What does a CISO do?

A CISO oversees the company from a security perspective. They carry out risk assessments, determine which threats are most important to the company, and prepare security policies and an incident management plan.


Most importantly, they ensure compliance with the Cyber Security Law and often communicate with the National Cyber Security Centre (NKSC). If your company received an NKSC notice about being added to the list of cyber security entities, it is precisely the CISO who can answer the question "what to do first." An IT administrator cannot do this — not only because of qualifications, but because it is simply a different role.


Why can't an IT administrator be a CISO?

An IT administrator cannot be the CISO because of a conflict of interest — it is the same as letting a builder carry out the security inspection of the house they built themselves. If the administrator's job is to react to daily technical challenges and ensure the speed and convenience of systems, the CISO must think strategically, assess risks, and sometimes deliberately limit daily convenience for the sake of protection.


Cyber security regulation is based on the principle of separation of duties - the expectation is that the same person does not perform both IT administration and security oversight functions.

When these roles are assigned to one person, daily routine and user complaints almost always "eat up" the security strategy, and infrastructure security is assessed subjectively; why use extra login protection with a code from a phone if it isn't convenient? A similar type of login-protection gap was also the cause of one of this year's biggest data leaks — in the case of the Centre of Registers.


Registrų centro įėjimas

Why does this matter?

The Cyber Security Law does not require your IT administrator to suddenly become a security strategist. It requires the company to have both functions — both day-to-day technical maintenance and security strategy. For many small companies, a full-time CISO role is too expensive, and the benefit it provides would not even be fully used — such an employee would finish their work in less time and would sit idle for the rest of it.


That is why more and more companies are choosing an external CISO - an experienced specialist from an outside company, working according to the company's needs. If you are not sure which function your company is missing, let's talk. We specialise in external CISO services and work successfully with both large and small companies.



 
 

Take the first step

Cybersecurity compliance doesn't happen in a day - contact us and start working towards it

bottom of page