The increasingly complex regulatory environment and addition of new nation-wide and global privacy regulations have undoubtedly transformed the landscape of cybersecurity. Historically, the Chief Risk Officer (CRO) and Chief Information Security Officer (CISO) have had different responsibilities and different challenges, and if you look 25 years in the past, privacy and security were rarely used in the same sentence. As the world of cyber began to grow exponentially, industry experts began to recognize and publicize the relationship between the two. Now, in 2021, the terms that were once distantly related, are now more intertwined than ever.
Defining privacy and security
Before diving into the alignment between privacy and cybersecurity, let’s quickly define the two terms. Simply put, security is the controls an organization has in place to protect information from unauthorized access. Privacy, as defined by the European Data Protection Supervisor, is the “ability of an individual to be left alone, out of public view, and in control of information about oneself.” Privacy is most impactful on individuals when it’s interpreted by governments and organizations that are collecting data.
Theoretically, individuals should have the right to be the gatekeepers of their personal information. However, we’re aware this isn’t always the case. As an outcome, new privacy laws are popping up that bring to light where personal information is collected, processed, and stored. That being said, the question now becomes, how is this information protected? And the answer? Security.
How are the two related?
In the case of privacy laws, they require companies to keep our personal information safe: in other words, secure. As long as organizations are collecting, processing, and storing personal information data, it’s clear that privacy and security go hand-in-hand.
Let’s look at one example: when you’re shopping online and enter your personal information, you do so under the assumption that it will be protected. An organization puts itself at serious risk by not guarding consumer privacy: not only are there harsh fines for companies who disregard or overlook security, but the loss of consumer confidence can easily destroy your brand’s reputation. In this case, it’s clear why the relationship between privacy and security needs to be a strong one within organizations.
With the development of technology and the increasing nature of the threat landscape, it’s evident the principles of privacy and security are inter-related and mutually affect one another.
The relationship between the CRO and CISO
A Chief Risk Officer’s main responsibility is to assist in identifying key risks and applying mitigating controls to determine the risk profile of the organization. Ultimately, their role within the larger organization is to track the progress of remediation of control weaknesses, monitor the risk profile of the company, develop and monitor key risk indicators, identify emerging risks, coordinate and analyze the collection of risk information, and develop and maintain policies and procedures.
While the CRO is responsible for an organization-wide view of the landscape of risk management, the CISO, among other things, is responsible for overseeing risk within their IT and cybersecurity functions and managing vulnerabilities across the company’s on-premises and cloud infrastructures. Similar to the CRO, the CISO responsibility oversees IT risk assessments, internal and external audits, control monitoring, and compliance.
Historically, the CISO primarily reported to the Chief Information Officer when security was viewed asa technology-focused role. In recent years, the CISO role has transitioned to a more business and strategic-minded position. When K logix first started collecting industry trends through our Feats of Strength magazine in 2015, over 50% of the CISOs interviewed reported to the CIO. Now in 2021, only 13% of CISOs report to the CIO.
As the CISO position has evolved and cybersecurity is decreasingly being viewed as a technology problem, more organizations are moving the CISO reporting structure lines to the CRO, shifting the world view of cybersecurity for the CISO to a risk-based lens rather than purely technological.
Security is a people problem, not a technology problem
Because cybersecurity is an organization-wide responsibility, this requires the CISO to sit at the same table as the rest of the C-suite and have a seat in the boardroom.
It’s important to note that a company’s greatest asset, its people, are also its greatest vulnerability. In other words, people create cyber risk. No matter how well you protect your organization’s assets, there are going to be risks in your environment. Solving this human problem requires sitting at the same table with the rest of the company’s leaders to build a culture of risk management that highlights the importance of protecting the company’s assets as their own. As part of the risk organization, CISOs influence their peers across the organization of the importance of this non-technical problem to their bottom line. According to Jon Fredrickson (CRO, Blue Cross & Blue Shield of Rhode Island) on page 14 of our September 2021 issue of Feats of Strength, as a security leader, you’re a “partner and you’re here to enable the business to do what they want to do, but we have a responsibility to do it safely and with member privacy in mind.” His persistence with this mantra has driven his team to a successful relationship with the business.
Fredrickson hopes more security leaders assume extended risk roles in the future. In the same interview he adds, “You look at all of the more recent attacks and the old school, CIA triad: confidentiality, integrity, and availability. With the way ransomware’s going with extortion, it’s really all about confidentiality and availability right now. And I think that if you have that higher lens or report through something that’s not just IT then you’d hopefully have a better view of the organization and the impacts if a cyber event were to affect operational capacity.”
In order to demonstrate they understand how cyber risk plays into their company’s operations and bottom line, CISOs must communicate risk in the same way other business leaders communicate about other operational risks. Reporting to the CRO will support and accelerate that shift.
About K logix
K logix provides white glove cybersecurity advisory and consulting services. With over 20 years of experience supporting organizations of all sizes and verticals, we empower leaders to mature their security programs and strategically align with the business to reduce risk. Our approach has always been business-driven, we believe security leaders should have a productive seat at the table and the tools to effectively communicate with executives.
Stay up to date with cyber security trends and more