Should CISO Be Chief Risk Officer?Identifying CISO's Role in Managing Risk in the Enterprise
Many chief information security officers have the business savvy and technical know-how to be their organization's chief information risk officer. But should CISOs assume that extra role?
Think about it. Today's enterprises - in government or the private sector - need secure information technology to function. Understanding what's needed to keep IT operational is key to an enterprise's success. Plus, except for the finace department, and to a lesser degree, the legal and human resources departments, IT and IT security are the only departments that touch every aspect of the enterprise.
Risk needs to be owned by the business units.
That's why it's no surprise that chief information security officers assume many of the responsibilities of the chief risk officer. "It's part of my role," Intel Chief Information Security and Privacy Officer Malcom Harkins told me in an interview last spring (see Merging Privacy and Security Roles). "You could argue when I was [solely] chief information security officer that a more appropriate title may have been chief information risk officer."
That's because as CISO, Harkins says, "I've always had a wide-angle role around information risk." Much of what a CISO does revolves around risk, including dealing with business continuity, disaster recovery, compliance and supply chain issues. "There's an interdependency of certain key controls in each of those layers within the company that need to be thought through so that you can manage appropriately the risk, as well as make sure that you're not over-controlling in a way that encumbers the business," Harkins says.
Of course, having the CISO assume some or all of an enterprise's information risk portfolio isn't new. But it's a point that needs to be addressed from time to time as information systems and information security get more complex with each passing day.
Brown University CISO David Sherry told my colleague Tom Field last year that he sees the CISO's role evolving to include managing the risk of an enterprise by setting the proper programs, policies and processes that are necessary to fulfill the IT security mission.
"By establishing one person who thinks of the compliance, risk and security needs holistically, the areas responsible for the day-to-day operations of utilizing the controls and the assessments will have better leadership and direction," Brown said (see CISO's Challenge: Security & Risk).
Brown is a member of Wisegate, a private association of senior IT leaders, which issued a report that addresses that specific topic: CISOs Share Advice on Managing Both Information Security and Risk. As the report points out:
"There is a tension between risk management, which involves balancing risk with resources, with implementing an information security program, which focuses on securing information. There is also a tension between the need to identify risks an enterprise confronts and the legal requirement to have plausible deniability if a breach occurs. CISOs will need to deal with these tensions, as well as others, in order to carry out their increased responsibilities successfully."
Invested in Risk Decision-Making
But should those increased responsibilities stop short of a CISO assuming the additional role of chief risk officer? Chris Buse, CISO for the state of Minnesota, says yes.
Buse is heavily invested in the state government's risk decision-making. He says it's his job to help make sure that the state government has a risk-management process in place that accounts for threats, vulnerabilities and the necessary controls to manage risk at all acceptable level. But he makes a subtle point that the information security organization should never "own" the risk itself.
"Risk needs to be owned by the business units that ultimately must accept the residual risk that results from our threat modeling and control implementation process," Buse says. "Obviously, this means that security needs to engage with business partners to make sure that they understand the residual risk that remains after control decisions are made. This symbiotic relationship is something that I outlined in the security chapter of the comprehensive SLA [service-level agreement] that our IT organization has with each government entity that we serve."
Buse has business proficiency along with his IT security experience, but he's right: He should be a major player in helping the state assess risk, but others should bear the primary responsibility for managing risk. And most enterprises should take a similar approach.
What risk management responsibilities, if any, do you think CISOs should assume? We'd like to hear from you.