The chief information security officer (CISO) is a relatively new type of C-level executive. As cyber threats have grown in recent years, to the point that poor cybersecurity can jeopardize a company’s strategic goals, boards and CEOs have come to understand the need for a senior-level executive to run security operations and manage vulnerabilities in their IT infrastructure.
A large part of the CISO role lies in compliance activities, such as helping the company to meet its obligations under the General Data Protection Regulation (GDPR) in Europe. That said, as the nature of cyber threats keeps expanding, CISOs are increasingly important to overall risk management – implementing programs to protect the company’s supply chain, assure business continuity, and prepare incident response.
Why Is Risk Management an Important CISO Duty?
The CISO is the executive responsible for maintaining a company’s information security policies, regulatory compliance, and, in the event of a security breach, implementing disaster recovery protocols. The CISO might report to the chief information officer (CIO) or chief security officer (CSO), or even to the CEO or board directly.
As standards and regulations evolve to respond to new digital threats, so too do the requirements for CISOs. For example, several regulations and industry standards mandate that CISOs engage in effective risk management:
- ISO 27001 requires an information security management system (ISMS);
- The Health Insurance Portability and Accountability Act (HIPAA) requires security measures as part of the administrative safeguards rule to reduce risk and vulnerabilities to information.
While ISO and HIPAA require a risk management approach to information security, they don’t expressly require a CISO to fulfill that obligation. Other standards do incorporate the term “CISO” in their language:
- NIST 800-53 defines the roles and responsibilities for CISOs, including the security management within NIST’s tiered risk management approach for a successful continuous diagnostics and mitigation (CDM) program
Beyond regulatory compliance, CISOs play an increasingly larger role in risk management because cyber threats now constitute a bigger risk to companies than ever before. The CISO has never had a larger role to play.
What Are the Primary Risk Management Functions of the CISO’s Job?
The CISO has many responsibilities, from monitoring security risks and managing the threat landscape to engaging with stakeholders to ensure regulatory compliance across all levels of the organization. Breaking out one part of the role as the most important is difficult.
Your CISO needs to be able to review a variety of risks inherent in the current IT landscape.
- Critical systems and data. Increased use of information technology and data requires that you determine what information assets, networks, and systems are critical to business operations. The CISO must ensure the company has the correct data security architecture in place so the business can run smoothly.
- External threat management. The increased sophistication of malicious actors requires a robust security strategy, security program, and protocols that regularly update systems and software.
- Internal threat management. Role-based authorizations and multi-factor authentication establish internal controls over system and network access.
- Vendor risk management. Increased reliance on vendors to manage data collection, transfer, and storage requires companies to monitor and manage their security controls to protect your information.
- Continuous monitoring. Automating the monitoring of internal and external controls enables better identification of network vulnerabilities.
- Business continuity and incident response. The increased sophistication and frequency of cyberattacks requires CISOs to establish and enact appropriate strategies to manage the impact these risks pose.
Successful CISOs take an active approach, constantly scanning the horizon for evolving security threats. This allows them to prevent cybersecurity problems and to have the right security initiatives in place to respond when incidents occur.
To Whom Should the CISO Report?
As awareness of cyber risk has grown in recent years, so too has the seniority of CISO, with more and more business leaders recognizing the need to build their information security awareness. Current best practices suggest the CISO should now report directly to the chief executive officer (CEO), to solidify the role’s importance within the organization.
It may also be wise to keep the CISO and CIO roles. As CIOs often purchase and manage IT assets, a conflict of interest could arise when one person is trying to balance security and replacement costs. When you separate purchasing, deployment, and security duties, that can drive better risk management within your organization.
When Should the CISO Report to the Board of Directors?
It’s a testament to the evolution of the CISO role in recent years that the Institute of Internal Auditors (IIA), Information Systems Audit and Control Association (ISACA), National Association of Corporate Directors (NACD), and Internet Security Alliance (ISA) all focus on the importance of cybersecurity corporate governance in their regulations and standards.
Having the IT security team meet with the board of directors helps both parties to engage in the appropriate risk assessment and risk management strategies. Your CISO needs to communicate the internal, external, and vendor risks clearly, so the board can participate in the required corporate governance.
The Sarbanes-Oxley Act requires your board of directors to exercise oversight. If directors can’t do that, they are not meeting their obligations and may incur monetary penalties or jail time.
How ZenGRC Enables CISO Risk Management
Wherever you are in your risk management journey, our easy-to-use content gives you guidelines for assessing and managing corporate risk.
ZenGRC allows you to incorporate vendor management into your business processes more rapidly. Our Payment Card Industry Data Security Standard (PCI DSS)-aligned questionnaires and task reminders enable faster risk documentation tracking.
ZenGRC’s reporting tools provide easy-to-digest reports with graphics that clearly explain your risk profile, giving your board the information they need while saving you time. It also streamlines reporting to your internal auditor.
ZenGRC provides a single source of truth by aggregating all records, reports, policies, procedures, and control listing in one place. Streamlining the audit process not only saves time and money, but also leads to stronger audit outcomes.
Schedule a demo to learn how ZenGRC can help your company manage enterprise risk.