- Understanding risk is a priority that stretches beyond the role of the chief information officer, yet only one-third of organizations view security as a threat to business growth, according to Charlie Jacco, principal, Cybersecurity Services at KPMG, speaking at a Forrester event in Washington Wednesday. The role of the CISO is changing, shifting the onus of valuing risk onto the business as a whole.
- CISOs are increasingly paired with the head of cyber risk management, a new postilion in the risk committee of an organization, according to Jacco. The CISO traditionally aligns with the CIO or CTO whereas the head of cyber risk aligns with the head of operational risk or the chief risk officer.
- The separation of roles is dispersing responsibilities. The head of risk focuses more on risk policy and identifying "businesswide cyber risk appetite" while the CISO is cleared up to focus on detection, protection, monitoring and response, according to Jacco.
When Jacco asked the room of attendees if they thought the CISO stands as the sole responsible person for setting the risk posture of a business, no one agreed.
By addressing the emergence of a new organizational model in cyber leadership, it frees up CISOs from having to "tell the business 'no' to everything they want to do," said Jacco. It's becoming clear that it is not a single person or the CISO that needs to sign off on a risk or a policy that needs reworking, and businesses are embracing that.
There is a widespread understanding among security professionals that the role of the CISO is evolving, as well as the role of IT. Currently, businesses are relying on IT to tell them what they should or should not do for business strategy, but that exchange is reversing roles, he said.
The reluctance to cultivate a business strategy, absent of IT's direct coordination, may come down to how cyber and risk is communicated in boardroom meetings. Such meetings are often "tactical" and lack "defined objectives," said Jacco, leaving members an unclear understanding of risk or cyber and where it needs reinforcing.
By writing what cyber and risk metrics should be directly into policies, it puts proposals into language a CEO or CFO can more clearly understand. In part, cyber leaders should be able to place value on specific areas at risk in the infrastructure. Breaking down monetary value on at-risk systems, spelled out by "spend 'x,' reduce risk by 'y,' " is more effective in boardroom proposals, said Jacco.