5 Traits That Differentiate CISOs From CIROs5 Traits That Differentiate CISOs From CIROs
Chief information risk officers must have a keen understanding of — and interaction with — the business.
July 12, 2022
Twenty-five years ago, when I was the chief information security officer for Visa, my role was very technically focused. Times have changed, however, and so have the objectives that guided CISOs in the past. The CISO role is becoming broader and more complex. To address the evolving cybersecurity threat landscape, the role requires a deep understanding of risk and strong business acumen, as well as a firm grasp of what's important to the success of the business. Some have started calling this new brand of security leader the chief information risk officer, or CIRO.
There are five unique traits that CIROs will need to develop to differentiate themselves from their CISO predecessors and stay relevant in modern times.
1. CIROs Are Mission-Aligned
CIROs will align their security mission with that of the broader business. To do that, CIROs must demonstrate keen awareness of the organization's value chain. When I'm doing CISO coaching, one of the first things I ask is, "What are the three goals your CEO has set for the year?" You'd be surprised how many don't know — and I think that information is absolutely essential for any security leader going forward. CIROs must tie their program back to the objectives the CEO has set for the year. How will the team help grow the business? If there are mergers and acquisitions coming up, how can security contribute to a safe and successful transaction?
2. CIROs Make and Own Their Decisions
Modernity is all about developing critical thinking skills, as well as engagement with executive management. CIROs will spend more time managing up than managing down. They should be empathetic and transparent in their interactions, and own their decisions. I was a security leader in very large companies. I had a great middle management team that could manage the day-to-day workers or the operational side. My goal was more to manage the organization from the top down. I had to make great decisions and stick to those decisions, adjusting when necessary. No decision is perfect, but indecision is far worse. It's all part of being agile.
3. CIROs Value People
The CIRO role requires the ability to manage people, mentoring them over time to develop their skills and responsibilities. CIROs also need to earn and maintain trust. Good CIROs have and understand people skills; great CIROs will master them.
4. CIROs Measure What Matters
A CISO today might say, "We blocked 10 billion spam attempts last year." That's a really impressive number — too bad it doesn't really matter. CIROs need a short list of metrics that matter. And what matters is being able to communicate the value of the security program and to demonstrate that progress is being made quarter over quarter. CIROs must strive for continuous improvement and have numbers that back up their teams' efforts.
5. CIROs Are Part of a Community
CIROs need to make sure they're talking to and working with all the different business lines within the company, but also with industry peers, partners, and third-party organizations. And, as industry leaders, CIROs should give back and participate in support groups like the Security Advisor Alliance. The benefits go both ways, of course, as this kind of collaboration helps CIROs better understand what's going on in the broader security industry.
Security Evolution Starts at the Top
Whether the title is CIRO, CISO, or something else entirely, the next generation of security leaders will be fluent in business. They will understand the adaptive strategies and initiatives that drive the business. They will be comfortable communicating with other executives across the organization to expand that understanding. And they will make efforts to map their risk management program back to those objectives. Tighter integration between security and business is coming, and that shared culture will help security teams know what they need to protect and how they can do a better job of protecting it.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023