Although more than half of CISOs still report to the CIO, some organizations are elevating the role to that of a C-suite peer or even a member of the board. Their rise in prominence coincides with growing pressure for boards to address cyber risk.
Not long ago, many senior management teams regarded their risk executives as “business prevention officers.” For that reason, risk managers often felt like salmon swimming upstream, their advice lost in the press of doing business, according to University of Maryland Executive-in-Residence Clifford Rossi. But large-scale “black swan” events like the 2008 financial crisis demonstrated the perils of leaping after business opportunities without first taking a long, hard look at risk. Since then, chief risk officers (CROs) have gained enormously in respect and prestige and are now seen as “business protectors” essential to success. This has led a number of organizations to increase their risk management budgets (some by as much as 100 percent), raise CRO pay, and make the position a senior management and, in some cases, board-level role, “The Wall Street Journal” reports.
The chief information security officer (CISO) has the potential to follow a similar path. Although cybersecurity has long been regarded as exclusively an IT problem, high-profile data breaches have convinced many business leaders it’s a broader issue that requires more executive attention. With the financial impact of a cyberattack potentially reaching into the billions of dollars for a large company,¹ senior management teams and corporate boards are taking a keener interest in cyber risk.
This oversight from an organization’s highest levels puts CISOs in the spotlight; some will need to develop new capabilities if they are to excel in their new, more strategic role. Specifically, CISOs, who have tended to focus on the technical aspects of cybersecurity, should consider adopting a more well-rounded risk manager profile. They must be able to clearly and succinctly articulate their companies’ exposures and plans for mitigating them. They must know their organizations’ most valuable assets and, of those, which may be at greatest risk for compromise. They must also have a firm handle on the potential ramifications of various cyberattack scenarios. And they should be prepared to answer the board’s challenging questions about the effectiveness of existing cyber risk mitigation plans and investment levels.
Critics of the CISO role ask why it needs to be a board-level position. They point out that CROs, particularly in financial services, already have a place on their organizations’ executive committees and can thus address cyber risk as part of business risk discussions. But in reality, few risk officers understand cybersecurity. It’s as new a topic to them as it is to corporate boards, which explains why some cyber risk and corporate governance practitioners advocate for creating a specialized subcommittee.
Elevating the CISO role is likely to precipitate changes in reporting structures. Currently, 56 percent of CISOs inside large organizations report into IT, typically to the CIO, according to Forrester Research. The 2015 Governance of Cybersecurity report from the Georgia Tech Information Security Center tracks the proportion of CISOs who report to the CEO at 22 percent. The Federal Financial Institutions Examination Council (FFIEC), an interagency governing body, recognizes the CISO as an enterprisewide risk manager who “should report directly to the board, a board committee, or senior management and not IT operations management.” In its handbook on IT governance, the FFIEC indicates the reporting structure should give CISOs the authority and independence to carry out their responsibilities while avoiding potential conflicts of interest that may hamper their ability to make decisions in line with the board’s appetite for risk.
A capable CISO on an executive management committee would almost certainly help the C-suite and the board monitor the company’s risk profile relative to the ever-changing cyberthreat landscape, while also improving organizational resilience and response capabilities. This may result in a more productive, collaborative approach to security.