Kayla Williams, CISO, Devo, on the next stage of CISO evolution.
The role of CISO has evolved rapidly over the last few years. What started as a technical position focused on securing IT systems has become a strategic leadership role focused on navigating the regulatory and threat landscapes. Risk management has become an increasingly important part of CISOs’ jobs; attack surfaces are larger than ever with the growing reliance on third-party tools, and changing regulations have upped the stakes for liability if and when breaches occur.
Highly regulated industries like financial services already have dedicated Chief Risk Officers, but in other areas, we’re likely to see CISOs increasingly taking on the responsibility of enterprise risk management leadership. This next stage of CISO evolution could even include a name change: Chief Information Security and Risk Officer. This shift will enable organizations to adopt more comprehensive risk management strategies, helping to strengthen their overall security posture.
The CISO’s current role in risk management
The core principles of risk management already underpin CISOs’ everyday responsibilities. Their teams conduct assessments to identify vulnerabilities, implement security measures to mitigate potential threats and develop incident response plans to manage and minimize the impact of breaches. CISOs are also held to the highest standards of documentation and compliance, facing near-constant audits. Some juggle regulations across state, federal and international borders. While most CISOs’ primary focus is on securing their organizations’ assets, their expertise in risk assessment, mitigation, and reporting is easily transferable to managing broader business risk.
This is especially true of CISOs with backgrounds in Governance, Risk, and Compliance (GRC) and auditing. A CISO with foundations in GRC is already skilled at risk management within complex regulatory and compliance frameworks, enabling them to extend their oversight beyond IT and security. They can assess risk from a holistic perspective encompassing nearly every business area.
Drivers of the CISO’s evolution to CISRO
There are three main reasons why CISOs are evolving into CISROs. The first is that risks are no longer isolated to specific departments or functions but instead ripple throughout the entire organization. For example, a data breach at one software vendor can jeopardize thousands of clients’ data, exposing sensitive information from millions of users. One seemingly isolated supply chain disruption can create operational, financial and reputational damage for the companies that rely on the supplier’s products. Because of this, CISOs have had to adopt a more holistic view of their software supply chain to properly assess what security risks other business units could inadvertently bring into the business.
They’ve also had to broaden the scope of risks they evaluate beyond cyber-related factors, including geopolitical events, physical infrastructure vulnerabilities, customer demands and brand trust.
When enterprises consider expanding into new markets, CISOs now often weigh the impact of that market’s regulatory compliance measures and IT infrastructure risks related to physical locations on the security of the business.
Additionally, emerging regulations are pushing organizations to adopt more robust risk management practices. The SEC’s cybersecurity rules for public companies require the disclosure of material cybersecurity incidents and the company’s approach to risk management, strategy and governance. Similarly, the NIST Cybersecurity Framework v2.0 expands beyond IT risks and emphasizes enterprise risk management by integrating cybersecurity risk with broader organizational processes.
All this said, it’s become clear that cybersecurity and risk management are undeniably linked. The interconnected nature of these risks encourages an integrated approach that many CISOs are well-suited to implement.
The benefits of a CISRO
So, if CISOs are already focused on managing risk for their organizations, what difference will it make to change their titles? Officially designating enterprise risk responsibility to CISOs will take them out of their tech silos and improve risk management across the organization. CISROs can help standardize risk management practices and nomenclature across the entire organization. The official designation also mandates CISROs as advisors to other business units, helping establish their authority beyond technical risk. For example, a CISRO can provide a helpful perspective for a marketing team as they weigh their options for agency partners, considering factors others may not.
Evolving a CISO into a CISRO can also enhance their ability to identify and respond to emerging risks. With greater visibility into risk across the entire business, they can develop more comprehensive and effective incident response plans. Organizations would also likely see improved alignment between information security and business objectives. A CISRO can ensure security initiatives support business goals rather than slowing them down. CISROs could also improve risk-related communication, streamline processes and prioritize risk management based on an organization’s broader risk profile.
Embracing the future of security and risk management
The CISO role has become more than just cybersecurity; it’s about enterprise risk management. Formalizing this evolution with the title of CISRO is crucial for organizations to effectively navigate the complexities of today’s interconnected risk landscape. By empowering CISROs to lead a holistic and integrated risk management strategy, businesses can enhance resilience, improve alignment between security initiatives and business objectives and ultimately achieve a more secure future.
