The CRO and the CISO: A Dynamic Duo Fighting Security Threats
Batman and Robin. Han Solo and Chewbacca. Sherlock and Watson. In both the fictional and real worlds, great accomplishments often require great partnerships. Strolling the halls of today’s enterprises, you’ll discover a new superhero team in town: the chief risk officer (CRO) and the chief information security officer (CISO).
Together, these relative newcomers to the C-suite work tirelessly to protect their businesses against regulatory compliance issues and security threats. This increasingly important partnership has demonstrated that preventing financial losses in enterprises means expanding investment in information security.
Overlapping Objectives of a CRO and CISO
The CRO position was originally developed in the insurance industry and quickly spread to the banking and financial services sectors. Although financial expertise is still vital for risk management, today’s CROs must take a broader view when assessing risk.
When it comes to security and risk management, the CRO and CISO have many of the same concerns. Resilience reports that of the top seven risks C-suites worry about the most, the following three relate directly to information security:
- Regulatory Change and Scrutiny: Enterprises have a host of regulations they must comply with, ranging from the Health Insurance Portability and Accountability Act to the Sarbanes-Oxley Act. Failure to maintain compliance increases the risk of a data breach, exposes the business to liability and multiplies the risk of returns volatility.
- Cyberthreats: Perimeter security, spear phishing, advanced threat vectors and internal compromise all pose significant risks to an enterprise. Attackers want valuable intellectual property, sensitive employee and customer information and an inside scoop about today’s businesses.
- Identity Management and Privacy: Modern employees often work from anywhere and require remote network access. Many workers also store sensitive information on their personal devices. This flexibility makes it easier to get things done, but it also makes it more difficult to protect critical data.
A strong relationship between the CRO and CISO can help protect an organization against some of these costly threats. The CISO speaks the language of security in a way the CRO doesn’t, which helps risk management executives pass along specific security concerns. On the flip side, risk management executives can help the CISO connect compromised security to potential operational, strategic and financial consequences, resulting in more buy-in for security spending.
A Direct Line to the Top
According to PricewaterhouseCoopers, 9 in 10 companies now take a risk-based approach to security. One key factor of improving security and reducing risk within an organization is giving the CRO and CISO direct access to decision-makers.
In many organizations, the CISO reports to the chief information officer (CIO). CROs generally report to the chief executive officer (CEO), but some may report to the company’s board or chief financial officer. The financial services industry is one of the more forward-looking sectors when it comes to the role of the CRO — according to The Wall Street Journal, 68 percent of financial services CROs report directly to the CEO and 46 percent report directly to the board.
However an enterprise is structured, it is important to give CROs and CISOs a relatively direct line to top decision-makers. When there are too many layers between the two roles and top company officers, the results of indirect communication can become costly. According to CSO Online, organizations experience 14 percent more downtime and 46 percent more financial loss related to compromised security when the CISO reports to the CIO instead of the CEO.
CROs typically get more access to top executives than CISOs do, primarily because C-suites conceptualize risk management in financial terms. However, with the increasing risks of security incidents, downtime, regulatory noncompliance and reputational damage, risk management will continue to expand beyond financial expertise into the realm of information security. When financial loss results from compromised security, CISOs become invaluable allies in restoring functionality and compliance after disasters.
A solid, trusting partnership between the CRO and CISO that is forged long before disaster strikes forms a resilient shield that will protect enterprises against catastrophic financial loss.