Why more Chief Strategy and Risk Officers need a seat at the security table

For years the evolving role of chief information security officers has increasingly required them to think more like a chief risk or strategy officer and anticipate cyber threats before they happen. Now a perfect storm is brewing that may finally push risk management and strategy roles to the forefront of cybersecurity.

The White House administration's focus on cybersecurity, new proposed NIST standards and the industry's waning confidence in their ability to predict cyber attacks are conspiring to push the change.

"At the end of the day, security is going to have to be run by a different CSO – the chief strategy officer, or some would combine that with the chief risk officer," says Arvind Parthasarathi, CEO of Cyence, which has built an economic risk model for cybersecurity based on probabilities and dollars. "Defense is exactly at the core of the CISO, but the offense, the motivation of why somebody would want to hit you, is often driven by the strategy of the business and what they're trying to do."

The country waits for the president to sign a cybersecurity executive order that - in drafts - says that the responsibility for defending America from cyber attacks requires close cooperation with private sector entities and calls for reviews of the nation's most critical private sector infrastructure. The Commerce Department would have 100 days from the signing to come up with options to incentivize private sector adoption of effective cybersecurity measures, according to the draft.

Proposed updates to the NIST cybersecurity framework, released in January, push for more risk accountability. One proposed update to the Tier 4 framework implementation states, "Senior executives monitor cybersecurity risk in the same context as financial risk and other organizational risks. The organizational budget is based on the understanding of current and predicted risk environment and future risk appetites. Business units implement executive vision and analyze system level risks in the context of the organizational risk appetite and tolerances."

Finally, cybersecurity leaders are increasingly losing confidence in their ability to predict cyber vulnerabilities before they happen - and may need help with offense. Global cybersecurity confidence fell six points in 2017 over 2016 to earn a "C-" on a report card by research firm CyberEdge Group and Tenable Network Security. The overall decline included a 12-point drop in the 2017 Risk Assessment Index, which measured the ability of respondents to assess cyber risk across 11 components of the enterprise IT landscape.

"People aren't very good at finding out what their vulnerabilities are, but when they do find them, they're really good at patching them," says Cris Thomas, strategist at Tenable.

To fill the security holes, companies are enlisting chief strategy officers, chief risk officers and chief information risk management officers to augment the CISO role.

"You're going to end up with an organization structure with two security leaders - one with a risk background and one with an IT background," says Chris O'Hara, U.S. co-leader of cybersecurity and privacy at PwC. "How you divide responsibilities and get them to work together will be of ultimate importance."

PwC has also seen the birth of another job title - the chief information risk management officer, who works alongside the CISO to focus exclusively on security risk. The CIRM officer might also own business continuity risk, technology risk and third-party risk management, he adds.

Some CISOs have strategy & risk skills - but not enough

Well-rounded CISOs have been honing their strategy and risk skills for years. "What you need is folks that understand technology and its strategic implications — experts with an understanding of their business, along with broader global interactions and implications," says Suzanne Vautrinot, a retired major general in the U.S. Air Force where she oversaw its multi-billion-dollar cyber enterprise.

"Having someone with a tech background working strategy allows them to focus beyond daily crises or operations," she adds. Vautrinot now sits on the board of directors at Wells Fargo, Parsons Corp., Ecolab, Symantec and Battelle Memorial Institute.

The problem is that there just aren't enough CISO candidates who have those offense skills, recruiters say. "In a perfect world, if you have a CISO who has all these competencies and skill sets for this bigger job, then you don't need a chief strategy officer collaborating with them," says Matt Comyns, co-global cybersecurity practice leader at executive search firm Russell Reynolds Associates. Unfortunately, the number of CISOs with risk and strategy experience "are very few and far between," he adds.

Chris O'Hara, U.S. co-leader of cybersecurity and privacy at PwC

There are probably 50 to 100 CISOs "that have the capability to do this at the highest level at a Fortune 500 company," Comyns says. But when he's looking for potential job candidates, most of the elite CISOs aren't available. Those who are open to new opportunities face the hurdles of cultural fit, rapport with executives and willingness to relocated. Suddenly, "you're down to two candidates," he says.

"I'm trying to offer someone almost double their compensation," to jump companies, Comyns says. "I offered someone a 70 percent raise, making near $1 million, and they turned me down. Their company went over the top with a counter-offer that blew my offer away. I and many of the top executive recruiters in this space have a handful of examples like that one."

To fill the void, some companies now have the CISO report to the chief risk officer or to the general counsel - so "legally that person has got us flanked," Comyns says. "They'll try to quantify all the risk, and where they're falling short, they'll subsidize with cyber insurance."

Risk officers at the security forefront in financial services

The financial services industry has already put chief risk officers at the top of the security food chain, O'Hara says. U.S. regulators have informed financial services leadership that cyber risk is no different than the systemic risk they experienced during the credit crisis, and once risk tolerance is determined at the highest levels of the organization - such as what population the company will lend to — it's the chief risk officer's job to be accountable for understanding total aggregate risk and risk exposure, and then working with the security team to manage that risk.

"There isn't a perfect operating model yet" for how risk officers and CISOs work together, O'Hara says. Depending on the company, "in some cases they are handing orders down [to the CISO], but it has to be more collaborative than that. Without a clear view of the cost of doing security [around a business objective], you could be putting the profitability of the organization at risk. On the flipside, not taking security measures because of profitability, and exposing the organization, is also a bad choice - so there has to be some really good communication and a good working approach to it."

Chief Information Risk Management Officers

So far, many CISOs also assume the CIRM officer role at many firms, according to a search of job titles on LinkedIn, but O'Hara expects the number of CIRM officers to increase, and even surpass the gravitas of the CISO role down the road.

The chief information risk management officer "isn't a known title like a CISO," O'Hara says. But once the position is better known, "they may have more stature going forward than the CISO," O'Hara says. "I do believe it is going to be something big."

Regardless of a company's organization structure, the CISO should continue to play a central role in cybersecurity, Comyns says. All C-level executives should be in the loop when it comes to cyber risk, "then hopefully there's a quarterback at the company, ideally the CISO, who is coordinating with everybody, keeping then informed, showing them the playbook and saying 'Here's the security road map of where we want to be.'"