The world is changing. The threats are changing. The technology is changing. It makes sense that our roles, our titles and our responsibilities are changing as well and information security officers are no different.
“Twenty years ago, when businesses began hiring CISOs, business advantage derived from working with data within the organization. Data lived primarily in the data center, the IT department was steward of the data, and the CISO was guardian of the firewall, defender of the perimeter. Then came distributed systems that linked locations, branch offices, business partners, and the supply chain, followed by mobile computing that links the back office with every employee and customer all the time. Today, there is no perimeter. Business advantage follows where the data flows, leaving the CISO to safeguard data that can be in use or in transit anytime and, often, anywhere in the world. As information moves beyond the data center, so has the role of the CISO, shifting from data security to managing the inevitable risks of anytime, anywhere data.
As the CISO’s role moves from the data center, Christiansen advocates changing the name and reporting structure to reflect the new risk management focus. “Instead of a chief information security officer, businesses today need a chief information risk officer, a CIRO, and that person needs to report not into IT, but to the business leadership team. By transforming from CISO to CIRO, you begin to talk to the executive team about risk information in the context of their business, so they can make more informed decisions. Like all the other C-level executives, now the CIRO is talking in the same business terms and now he or she is managing risk in alignment with business priorities.
The CIRO needs to become intimately familiar with business operations, strategies, and goals. The key benefit here is that if you go to this business-aligned strategy, you can present recommendations and programs in the context of everything else the executive team is thinking and hearing about. Instead of talking security systems and data, you’re talking to them about information risk, reputational risk (which is the number one concern for many businesses I talk to), business operational risk, and regulatory risk—top-of-mind issues that they understand very well.”
You can read the full article here: “The Vanishing Perimeter: Transforming the Role of the CISO”