The notion of whether the separation of certain functions within cybersecurity could enhance risk management is a topic of discussion within the industry. According to Chirag Joshi, a CISO and founder of 7 Rules Cyber consultancy, there are instances where having a head of cybersecurity oversee technical, operations, and architecture teams, while a separate CISO focuses on governance, risk, and compliance functions, could be beneficial.
In particular, the governance and risk aspect of cybersecurity plays a vital role in presenting metrics, measurements, strategy, and policy to the board. The responsibility of filing the annual cyber risk management program, as required by the SEC, often falls under the governance leader’s purview. This individual is tasked with developing a strategy that incorporates control measurements, but it is essential to have someone who is functionally independent and capable of challenging decisions when necessary.
Maintaining a clear separation between operational and risk responsibilities can be advantageous as it increases the likelihood of being able to question risk choices with independence. By elevating the CISO role to that of other C-suite executives, it transforms them into a strategic business adviser focused on managing risk. Rather than solely focusing on how to secure systems, the CISO is involved in decision-making processes regarding whether the organization should adopt new applications or other security measures.
This shift in perspective allows the CISO to provide valuable input on broader business decisions that have security implications. It enables them to contribute to discussions on risk appetite, strategic direction, and risk mitigation strategies. Additionally, having a CISO who is empowered to challenge decisions and provide independent assessments can lead to a more robust and well-rounded risk management approach.
Furthermore, establishing a clear delineation between operational and risk functions can help prevent conflicts of interest and ensure that risk assessments are conducted impartially. It provides a checks-and-balances system within the cybersecurity framework, ensuring that risk decisions are thoroughly evaluated and not influenced by operational considerations.
In conclusion, while the separation of certain functions within cybersecurity may not be suitable for every organization, it is worth considering as a means to enhance risk management practices. By empowering CISOs to focus on governance, risk, and compliance functions separately from operational responsibilities, companies can benefit from a more holistic and strategic approach to cybersecurity. The role of the CISO can evolve from a technical expert to a key business adviser, contributing to overall risk management and decision-making processes at the executive level.