Meetali Sharma, Risk, Compliance & Security Leader, SDG Software (I) Pvt. Ltd., NEXT100 Winner 2016, discusses how a Chief Information Risk Officer should evaluate the threat landscape and focus on managing different risks
The role of CIRO extends beyond security to managing information risk as well as providing a unified risk perspective to the Board of Directors
With changing threat landscape and information technology priorities, organizations and leaders must change the way they observe the security landscape. Over the last two decades, new risks can be attributed to globalization, exploration of new businesses, growth in technology, and gains in productivity.
With the advent of new regulations, there has been an increased focus on data and customer privacy. In order to address this constant shift, organizations must realign and reorganize.
The focus of the leader has now shifted from protecting data to managing the risks associated with data as well as analyzing and reducing vulnerabilities associated with cyber security risks. With this shift, has emerged a new role: The Chief Information Risk Officer (CIRO).
The CIRO role brings a new and strategic opportunity for security leaders.
The main job of Chief Information Security Officer (CISO) and chief information officer (CIO) has been to implement security technologies, protect data, and keep assets secure. However, the role of a CIRO goes beyond it. It extends beyond security to managing information risk as well as providing a unified risk perspective to the Board of Directors. It must involve defining a risk appetite and setting up right controls to maintain cyber resilience and manage the threat landscape of the organization.
So, how do organizations go about managing this change?
A CIRO should look at many shades of grey and focus on managing the reputational, financial and technological risks to the enterprise. In doing so, a CIRO must:
- Identify risks associated with the organization
- Define risk appetite and tolerance of the organization and quantify the risk
- Implement an appropriate risk response strategy
- Execution of the identified plan by implementation of controls
- Continuous monitoring of controls and changing risk landscape
The key responsibility areas of a CIRO must include:
- Facilitate Risk-Based Decision Making: Results from risk assessments must be able to combine business goals, risks and threats and help in developing a highly effective information risk program by enabling risk based decision making.
- Risk Management: It is the primary responsibility of a CIRO to keep the board of directors informed of the risks the company is facing from all aspects - security, privacy, regulatory and insider threats.
- Balance Regulations and Compliance: New regulations, such as Sarbanes-Oxley Act (SOX), Basel II, Data Privacy, Consumer Privacy, Anti-Money Laundering (AML), GDPR, etc. need to be carefully analyzed and controls need to be defined around the same. A CIRO has a key role to play here by understanding the laws and regulations an organization needs to comply with, design and implement a security framework and necessary processes in a manner to demonstrate compliance with these regulations/laws.
- Information Management: It is important for a CIRO to identify the information flowing in and out of the organization including third parties, service providers and sub-contractors.
- Training and Communication: A CIRO must be an excellent communicator and be able to convince the board as well as business about the current level of information risks in easily understandable terms.
Since the role of a CIRO is not traditional IT, it is necessary to shift away from the traditional reporting structure. The way businesses today operate in complex and highly dynamic global environments, it becomes imperative for organizations to assess their true risk and compliance posture and build resilience. The CIRO should be in a position to communicate directly with the board and other key executives rather than be a part of the board/steering committee in order to support the ongoing information risk management of the organization.