What is the CISO’s Role in Risk Management?Published August 2, 2018 by Karen Walsh • 4 min read
The Chief Information Security Officer (CISO) holds an increasingly important role in any organization. Protecting your organization’s information includes reviewing your information technology security controls but now also incorporates the threats that vendors pose to your environment. The expanding role of the CISO now requires her to focus on risk management more than before.
The Role of CISO in Risk Management
What is the CISO role within your organization?
The CISO is a senior level management position focusing on protecting your information assets and technology from malicious actors. As cyber attacks increase in number and sophistication, your CISO works harder than ever to protect your data’s confidentiality, integrity, and availability.
Traditionally, the CISO’s role lay in implementing security controls such as firewalls or data encryption methodologies. However, as vendors increasingly provided more efficient solutions, the CISO’s role evolved into managing risks to ensure ongoing business success.
Why is risk management an important CISO role?
Your CISO no longer simply manages your security function. As standards and regulations continuously update to respond to new digital threats, they also change the requirements for CISOs. For example, several of the primary standards and regulations require CISOs to engage in effective risk management.
- ISO 27001: Requires an information security management system (ISMS)
- Health Insurance Portability and Accountability Act (HIPAA): Requires security measures as part of the Administrative safeguards rule to reduces risk and vulnerabilities to information
While ISO and HIPAA require a risk management approach to information security, they do not require a CISO to administrate it. However, some of the standards incorporate the term CISO in them.
- NIST 800-53: Defines the roles and responsibilities for CISOs, including the security management within NIST’s tiered risk management approach for a successful Continuous Diagnostics and Mitigation (CDM) program
In other words, as you build a security program the person administrating it must be focused on risk management. Often, therefore, the CISO must be the individual in the organization managing the varied cybersecurity risks.
What are the primary risk management functions of the CISO?
Your CISO needs to be able to review a variety of risks inherent in the current IT landscape.
- Critical Systems and Data: Increased use of digital data requires determining what information assets, networks, and systems are critical to continued business operations
- External Threat Management: Increased malicious actor sophistication requires maintaining strategic security protocols that regularly update systems and software.
- Internal Threat Management: Role-based authorizations and multi-factor authentications establish internal controls over system and network access.
- Vendor Risk Management: Increased use of vendors to manage data collection, transferral, and storage requires monitoring and managing their security controls to protect your information.
- Continuous Monitoring: Automated monitoring of internal and external controls enables better identification system and network vulnerabilities.
- Business Continuity and Incident Response: Increased breach sophistication and number requires CISOs to establish and enact appropriate strategies to manage the impact these risks pose.
Corporations need to include security risk management as part of their enterprise vision, strategy, and program to ensure information assets and technologies critical to business operations remain online or can be brought back online rapidly.
Who should the CISO report to?
Although traditionally the CISO reported to the Chief Information Officer (CIO), modern best business practices focus on shifting the reporting structure to the Chief Executive Officer. Your CISO should be established as a member of the c-suite to solidify the role’s importance within the organization.
Additionally, as CIOs often purchase and manage IT assets, a conflict of interest may arise between security and replacement costs. Establishing a segregation of duties between purchasing, deployment, and security better enables risk management within your organization. Therefore, the CISO and IT security functions need to work with the CIO and IT department while not being responsible to them.
When must the CISO report to the Board of Directors
Increasingly, regulations and standards incorporate corporate governance as part of your Board’s responsibilities. In alignment with many regulations and standards, the Institute of Internal Auditors (IIA), Information Systems Audit and Control Association (ISACA), National Association of Corporate Directors (NACD), and Internet Security Alliance (ISA) all focus on the importance of cybersecurity corporate governance.
Bringing the IT security function together with the Board of Directors better enables both parties to engage in the appropriate risk management strategies. Your CISO needs to communicate the internal, external, and vendor risks adequately to allow them to engage in the needed corporate governance. If your Board of Directors cannot adequately provide the required oversight, then they are not meeting their obligations and, in some cases such as the Sarbanes-Oxley Act of 2002, may incur monetary penalties or jail time.
How ZenGRC Enables CISO Risk Management Activities
Whether you’re just starting the risk management process or trying to strengthen your compliance, our easy-to-use content gives you guidelines for assessing risk and aligning to business objectives to help manage corporate risk.
Additionally, ZenGRC’s risk assessment tools allow you to incorporate vendor management into your business risk management process more rapidly. Our Payment Card Industry Data Security Standard (PCI DSS) aligned questionnaires, and task reminders enable faster risk documentation tracking.
With our role-based authorization capabilities, you can provide all employees access to the information they need to enact your risk based corporate strategies. Empowering employees with the required information allows them to maintain the corporate culture you set and reinforces the environment management defined.
A primary component required for establishing an ERM is Board oversight and informed review. However, your Board of Directors does not want overly detailed reports. Creating annual presentations is time-consuming. ZenGRC’s reporting tools provide easy-to-digest reports with graphics that clearly explain your risk profile. These reports give your Board the information they need while saving you creation time.
This ease of communication applies to work with your internal auditor as well. Auditors need documentation to prove that implementation matches policy. When they spend time on the administrative information gathering tasks, audits take longer and information may end up incomplete. ZenGRC provides a single source of truth by aggregating all records, reports, policies, procedures, and control listing in one place. Streamlining the audit process not only saves time and money but also leads to stronger audit outcomes.
To learn more about how ZenGRC can help your company establish an enterprise risk management program effectively aligned to business objectives, schedule a demo.