The roles of CSOs and CISOs at corporations and government agencies have changed dramatically in recent years. Just as physical security managers have been charged with more than overseeing an organization’s access control and video surveillance measures, information security executives are now being asked to take on more risk management responsibilities.
According to a recent study conducted by Wisegate, a social networking membership body for senior IT professionals, nearly 100 percent of CISOs polled indicated that they have combined information security and risk management responsibilities. In addition, 40 percent of survey respondents said that they expected to see an increase in spending on security/risk management initiatives within their organizations.
The motivating factors driving increased risk management responsibilities for information security executives at organizations vary. When asked to cite their two primary drivers, the majority of survey respondents, 73 percent, said that general compliance requirements were one of the main reasons for the convergence, followed by the general threat landscape at 53 percent. Thirty-three percent said that their companies were doing it because it was the "right thing to do," 26 percent reported experiencing a "recent security close call without external reporting requirements" as a primary driver and 20 percent said they were making the move due to a "recent security incident requiring external notification."
About five years ago, Cox Communications CISO Phil Agcaoili said that he started seeing more conversations in the information security sector centered around risk management and the areas of risk that apply to an organization’s security team.
"In my time at two manufacturers… we really got the teams talking together and taking a look at areas around strategic risk, financial risk and operational risk, and for me, security plays a role in each area," Agcaoili said. "What’s interesting is how physical security leaders view security. It is different from information security leaders and different from folks that have cyber security, so physical, info and cyber are all kind of in this space where we are managing different kinds of risk."
Agcaoili said a prime example of how all these different areas of security merge together is when you take a look at supply chain security.
"Supply chain security is a dimension of cyber security," he explained. "You’re dealing with background checks for employees and partners; you’re talking about contract security and areas around defining service level agreements; you’re dealing with assurances of overall security and privacy and business relationships; you’re dealing with right to audit and assessment; and, supply chain also covers e-discovery and forensics, litigation support, investigations and intelligence services. In a way, they are all overlapping areas for CSOs and CISOs. Likewise, tracking down and mitigating these risks through people, processes and technology that encapsulates a holistic security protection and safety strategy… it involves all security teams and you have to have varying capacities and the support of executive sponsorship and operational teams with the experience and the ability to cover the entire field. All of these groups have to work together, so a partnership has to be built to cover all of these areas."
Brown University CISO David Sherry said that he’s also seen his role as a security executive evolve towards risk management with additional responsibilities.
"As privacy and compliance continue to gain importance in the success of an enterprise, and with some hesitancy of adding senior head count, assigning responsibilities to the security executive is a sound business model," Sherry explained. "With this, I have seen my responsibilities to now include privacy and its related functions and regulations, compliance with regularity mandates and external entities, and a deeper role in legal discussions. All of these give me a closer role with the chief risk officer, in addition to the CIO. Lastly, as an institution of higher education, I’ve assumed a greater role and influence with the internal boards who oversee compliance with grants and research data protections."