The Next-Gen CISO - Building Cyber Resilience with Cyber GRCIT Risk & Cyber Risk | 4 Min Read |12 April 22|by Patricia McParland
I’ve worked with Chief Information Security Officers (CISOs) and one thing I can say with certainty is that CISOs are unquestionably busy people. I liken it to the cartoons of old when a character would be ducking, dodging, and fending off arrows with bare hands. CISO are managing risk, monitoring IT compliance, fending off ever-changing threats, looking for vulnerabilities, and creating a culture of cybersecurity awareness – all day, every day!
I’ve made the CISO role sound somewhat tactical, but it’s highly strategic and has become even more so since the early stages of the pandemic when CISOs were front and center among the many IT professionals who worked quickly to ensure business continuity. From securing the remote systems and the data of employees who suddenly had to start working from home from cyberattacks to simultaneously managing increased regulatory scrutiny, the CISO’s role has become one of the most significant in the enterprise.
As cyber GRC challenges such as enhanced cyber risks, new regulations, and accelerating digital transformation continue to dominate the business landscape, the CISO’s role continues to evolve faster than ever.
The role has expanded outside of IT to become a key enabler of business performance by protecting business assets and data privacy. A 2021 survey of global CISOs found that 45% of CISOs now have responsibility across the three key areas of security, risk, and trust. The CISO role has come of age – and is evolving into the next-gen CISO.
So, who is the next-gen CISO? Here are some of the roles today’s CISO plays:
- The executive sponsor for security change: CISOs now drive security from a business perspective. This requires aligning with and understanding the business strategy, managing end-to-end cyber risk management, and building cyber resilience. As the leader of cyber risk management and GRC at the organization as well as the owner of the information technology roadmap, the CISO must map organizational strategy, technology, infrastructure, compliance requirements, and core cyber risks to embed cyber security into the culture, process, and technology. The CISO also leads security change by maintaining a line of sight into technology trends and disruptions and aligning information security investments and cyber risk mitigation steps with business priorities.
- The builder of information security and data protection assurance: The CISO plays a key role in building a robust information and data protection program, leveraging the information security of the organization to enable business objectives. This includes establishing the cyber risk management framework for sustainable protection assurance for all intangible assets and strategic advantages. Regular network monitoring, performing of cyber audits, and training both cyber security and general employees in security protocols and safe practices are now CISO responsibilities.
- The leader of third-party and IT vendor relationship management: With third and fourth IT vendors now part of the extended ecosystem, the CISO is responsible for identifying risk through third parties and managing third-party security. Identifying and ranking vendor relationships, performing due diligence, conducting regular security evaluations, monitoring vendor compliance with cyber security standards, tracking updates, etc., are some of the key priorities that the CISO steers.
- The director of continuous IT compliance and governance: In the era of cyber GRC, a CISO’s role now includes enabling continuous regulatory and standards compliance across all digital assets and processes. Cyber governance, including overseeing the smooth running of cyber resilience initiatives and regular reporting to corporate leadership, also falls under the purview of the CISO.
- The chief communicator of cyber risk: With cyber risk being such a critical area, the CISO holds the unique responsibility of communicating cyber risk in a language that the board and the rest of the C-suite can understand. Technical cyber security details are often not easily comprehended, and risk expressed in heat maps can be vague. Cyber risk exposure quantified in monetary terms, on the other hand, can effectively paint a clearer picture of the cyber risk.
MetricStream CyberGRC – Empowering CISOs to Build Cyber Resilience
MetricStream’s CyberGRC, built as an interconnected, intuitive, and intelligent GRC product set, empowers CISOs to connect cyber risk data from across the enterprise, including third and fourth-party vendors, and then use the actionable business intelligence to make data-driven decisions to build cyber resilience.
MetricStream CyberGRC further enables CISOs to:
- Assess and manage IT risks including impact assessment of IT vendor risk exposure
- Quantify cyber risk, enabling the effective communication of cyber risk exposure in monetary terms
- Create a centralized repository for the organization’s threats and vulnerabilities and streamline management of these issues by bridging silos within the company
Being a CISO is hectic and stressful – but it’s also incredibly important, and I for one look forward to watching the continued evolution of the role, as CISOs grow to become more and more business as well as IT and security champions. Cyber is one of the biggest existential risks enterprises face today. The next-gen CISOs are here to lead us through – even as they dodge the many arrows. We’re rooting for you!
Want to learn more about how MetricStream CyberGRC can help build cyber resilience? Write to me at [email protected] You can also try our customized demo to see how our product works.
Check out more cybersecurity resources:
Read our other CyberSeries: The Power of Resilience blogs: