ashumskiy - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Can the security industry handle a chief information risk officer?

Chief information risk officers seem to be on the horizon as CISOs become inundated with responsibilities, but adding another c-level could cause more harm than good.

The RSA Conference 2015 focused on the changing role of the chief information security officer (CISO), specifically...

on how these executives are morphing into chief information risk officers (CIROs) or how enterprises are looking to hire CIROs in addition to CISOs.

A CIRO is a c-level officer who sets the strategic risk management vision and is charged with developing processes in all areas of information risk. This includes information security, policy, BCP/DRP, vendor management, IT procurement, IT project management office, IT compliance and exogenous risk (cyberthreats, world events, civil disorder, natural disasters, among others). CIROs often work in the finance industry and they typically report to the CIO or CRO (Chief Risk Officer).

Hiring a chief information risk officer isn't right for many enterprises, however, because they don't need another c-level position. It has already been a struggle to get the CISO position to where it deserves a "seat at the table" on the board. Considering the struggle CISOs can have in obtaining recognition and resources, adding an additional c-level position with additional demands could make it difficult for existing c-levels to accomplish their tasks, which would only complicate and delay the intended objective of obtaining good security.

A risk-minded CISO could fill the gap

What organizations need is a CISO who is incisive, confident and will provide stability between technology, risk and cybersecurity.

Getting CISOs to be more business- and risk-minded is not a new objective. It has been touted since the early 1980s by ISSA and ISACA, and is how and why COBIT was developed. The issue is the CISO itself; CISOs need to be technical in order to stand toe-to-toe with engineers and CIOs and to deploy security that matters. But CISOs also need to be business-savvy to obtain the executive management support that allows the security team to implement a strong security program. The risk aspect has always been in the mix too.

If an enterprise implements a CIRO program, it goes back to the same reverse issue. The enterprise would have a c-level executive that does not understand technology enough to champion the information security program. The "I" for information in the CIRO acronym suggests that a CIRO has that knowledge of technology, but likely this new position would only marginalize the CISO -- who has been working hard for a seat at the table.

What organizations need is a CISO who is incisive, confident and will provide stability between technology, risk and cybersecurity. To effectively balance security controls and risk, they have to be commensurate to each other. Technical CISOs have a tendency to prioritize security controls where a non-technical executive might permit higher levels of risk at the expense of security. This balance needs to rest on foundational strategic business objectives and it must make economic sense.

Seemingly every day there is news of yet another data breach and board members want to know if it will happen to them; they want assurance. Currently the CISO is in the best position to provide that assurance. Adding to the c-level, executive structure and advocating for a CIRO is forcing a square peg into a round hole. Maybe over time there will be more room for a CIRO, but enterprises -- much less small and medium-sized business -- are not there yet.

Focus on the chief privacy officer

The E-Government Act of 2002 mandates a privacy impact assessment (PIA) of any substantially revised or new information technology system in the protection of personal information contained in government records and systems. GLBA, HIPAA, HITECH Act and SOX also have a host of regulations to safeguard the security and privacy of electronic protected health information, Personally identifiable information and financial data. The chief privacy officer (CPO) performs the PIA to:

  • Identify and understand legal requirements regarding privacy from laws, regulations and contract agreements.
  • Check whether personal data is correctly managed in respect to these requirements.
  • Review corporate privacy policies to ensure they cover applicable privacy laws and regulations.
  • Verify the correct security measures are adopted and implemented across the organization.

It is incumbent upon the CISO to work with the CPO to ensure proper controls are deployed to protect corporate data. A close alliance between privacy and security strengthens the ethos and balance of asset protection. To get a CIRO well-versed in risk, technology and security would be more difficult than growing the CISO position to work with the CPO to ensure a balanced view of information security.

About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Villegas has been a CISO for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.

Next Steps

Check out some expert advice on being a successful security leader and learn why CISOs are so necessary to enterprises

This was last published in August 2015

Dig Deeper on Information security program management