A strategic security partnership which involves the Chief Information Security Officer (CISO), the Chief Information Officer (CIO) and Chief Risk Officer (CRO) is the most effective way to address cybersecurity. In this article in Mckinsey.com by Oliver Bevan, Jim Boehm, Merlina Manocaran and Rolf Riemenschnitter, we are introduced as to how this might be implemented advantageously (as observed at a large corporation).
The Role of the CRO and Team in the Implementation
- The risk team, along with the CISO and security specialists, should form an early view of the enterprise-wise risks. This early step helps foster collaboration and allows for effective and efficient remediation.
- The CRO helps the CISO and CIO design the cyber investment principles.
- The CRO team works with CISO and CIO to develop and present initiatives to the executive management.
- The risk team then monitors the progress and status of the initiatives, cyber investments, and mitigation, and works with CISO and CIO to determine mitigations and necessary timelines.
The Role of the CISO in the Implementation
- With the guidance of the CRO, the CISO and team translate cyber risk recommendations into technical and non-technical initiatives. The CISO then vets and aligns them with the CIO team. After approval from the CIO, CISO, and CRO, the CISO and CIO teams proceed to design solutions.
- The CRO and CISO then align the format, content, and cadence of cyber risk reporting. The CIO and CISO put initiatives in place to jointly report progress and statuses to the CRO, who then passes this on to the executive leadership and the board.
- With or without the CIO, the CISO proceeds to direct a security operations center- the CIO team focuses on operational workflow, while the CISO team on providing security-specific support.
The Role of the CIO in the Implementation
- The CIO along with the CISO and CRO has an equal stake in the addressing of cyber risk throughout the processes. This equality is essential, as the CIO and CIO team are responsible for implementation and are also required to balance security-driven demands with their other IT “run” and “change” requirements.
Click on the following link to view the original article in full: https://www.mckinsey.com/business-functions/risk/our-insights/cybersecurity-and-the-risk-function