Security vs Risk vs Privacy: Who Leads the Charge?

An ad-hoc survey reveals that many organizations lack a Chief Risk Officer. In the absence of a formal CRO function, the management of risk is often addressed through committees that are tasked with gathering and compiling information. This data is then typically funneled up through an audit committee because audit committees have more of a financial background.  

The CISO role used to be focused on the firewalls and the network. Over time, the role expanded to include other technologies. Suddenly, CISOs were expected to be the subject matter expert of everything, including database security, virtualization security, compliance requirements, contract reviews, business continuity, fraud, architecture, service management and more. Because the expectation is that the CISO role will continue expand and that CISOs will take on more risk-related responsibility, it’s important for the CISO to be able to measure and document the risk. Further, the CISO of the future will need to be able to understand the financial issues in greater detail and be able to articulate the risk against a financial backdrop.

Recommendations include:

• Develop a basic financial acumen.
• Establish relationships with the committees that are reporting risk (legal, finance, IT). Understand their priorities and how they are reporting risk.
• Create a risk committee within the organization that includes key people from the different groups. Find out what keeps them up at night in order to be able to articulate inherent and residual risk.
• Pick the top three issues within each security area and be able to voice for each what the priority is for the company.