Skip to main content
close search
site logo
Dive Brief

Why CISOs are not setting the business risk posture aymore

Published Sept. 27, 2018
Samantha Schwartz's headshot
Samantha Schwartz Reporter

Dive Brief:

  • Understanding risk is a priority that stretches beyond the role of the chief information officer, yet only one-third of organizations view security as a threat to business growth, according to Charlie Jacco, principal, Cybersecurity Services at KPMG, speaking at a Forrester event in Washington Wednesday. The role of the CISO is changing, shifting the onus of valuing risk onto the business as a whole.
  • CISOs are increasingly paired with the head of cyber risk management, a new postilion in the risk committee of an organization, according to Jacco. The CISO traditionally aligns with the CIO or CTO whereas the head of cyber risk aligns with the head of operational risk or the chief risk officer. 
  • The separation of roles is dispersing responsibilities. The head of risk focuses more on risk policy and identifying "businesswide cyber risk appetite" while the CISO is cleared up to focus on detection, protection, monitoring and response, according to Jacco. 

Dive Insight:

When Jacco asked the room of attendees if they thought the CISO stands as the sole responsible person for setting the risk posture of a business, no one agreed.

By addressing the emergence of a new organizational model in cyber leadership, it frees up CISOs from having to "tell the business 'no' to everything they want to do," said Jacco. It's becoming clear that it is not a single person or the CISO that needs to sign off on a risk or a policy that needs reworking, and businesses are embracing that. 

There is a widespread understanding among security professionals that the role of the CISO is evolving, as well as the role of IT. Currently, businesses are relying on IT to tell them what they should or should not do for business strategy, but that exchange is reversing roles, he said. 

The reluctance to cultivate a business strategy, absent of IT's direct coordination, may come down to how cyber and risk is communicated in boardroom meetings. Such meetings are often "tactical" and lack "defined objectives," said Jacco, leaving members an unclear understanding of risk or cyber and where it needs reinforcing. 

By writing what cyber and risk metrics should be directly into policies, it puts proposals into language a CEO or CFO can more clearly understand. In part, cyber leaders should be able to place value on specific areas at risk in the infrastructure. Breaking down monetary value on at-risk systems, spelled out by "spend 'x,' reduce risk by 'y,' " is more effective in boardroom proposals, said Jacco.

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell