How much security is enough?
Not long ago, a chief risk officer might often have felt like a salmon swimming upstream. Also known, tongue in cheek, as “business prevention officers,” CROs for many years may have been relegated to the sidelines, their advice lost in the press of doing business, University of Maryland business professor Clifford Rossi wrote in American Banker.
But large-scale “black swan” events in recent years demonstrated to organizations the perils of leaping after business capital without first taking a long, hard look at risk. As a result, CROs have gained enormously in respect and prestige, no longer seen as “business preventers” but as “business protectors” who are essential to success.
The risk profession has come into its own. A number of organizations have increased their risk-management budgets, some by as much as 100 percent, including raising CROs’ pay. CROs have gained influence, as well. More have a seat on their institution’s board of directors, and many now report directly to a C-level executive, the Wall Street Journal reported.
Ditto for the CISO?
The chief information security officer may be on a similar path.
Cybersecurity has often been regarded as an IT problem — with a price tag that can make executives cringe. CISOs’ warnings of system vulnerabilities sometimes do not even get reported, as their superiors — often, the CIO — may be reluctant to request the funds needed for a fix, according to a Business Insider report.
Large-scale data breaches of recent years have shown business leaders the dangers of turning a blind eye to cyber. Security can be expensive, but the alternative may be worse: Estimates place the costs to business of cyberattacks at upwards of $500 million a year, Forbes reported in 2013. The reputational toll may be high, as well.
And a major reason for weak security, one study shows, is a lack of funding.
As a result, Forbes reported, organizations large and small are upping the cybersecurity ante, with some major banks investing hundreds of millions of dollars this year, even doubling expenditures in some cases.
But is spending money enough? Some say increasing the cyber budget is a good first step, but protecting our systems requires systemic change. Organizations do need great security and IT staff and top-notch cybersecurity tools, but they also need comprehensive risk-management strategies devised, and implemented, at the board level, according to Cyberpolicy Magazine.
For a truly effective security program, CISOs must discuss the organization’s security posture openly, honestly and regularly with the board, a recent book on cybersecurity asserts. After years of debate, the time may have come for CISOs to join their boards of directors — as chief risk officers started doing when risk management was deemed crucial to business success.
Giving CISOs a seat on the board would almost certainly help the C-suite keep current on ever-changing cybersecurity challenges and solutions, and improve organizational resiliency and response should threats or breaches occur.
Some suggest that reporting hierarchies ought to change, as well, so that the CISO reports directly to the CEO — something that happens now only 22 percent of the time, according to the Governance of Cybersecurity 2015 Report from the Georgia Tech Information Security Center.
Engaging the CISO at the highest levels may reap many benefits for an organization, including a more productive, collaborative approach to security — so that, rather than having a lone-salmon CISO fighting against the current, organizations and their security teams work more like a school of fish swimming in sync, moving with the flow, toward common goals.
JR Reagan is the global chief information security officer of Deloitte. He also serves as professional faculty at Johns Hopkins, Cornell and Columbia universities. Follow him @IdeaXplorer. Read more from JR Reagan.