Will CSOs become CROs in the future?

Is the chief security officer title destined to evolve into one that is about more than just security?

Few would deny the chief security officer role has evolved quite a bit in recent years. At many large companies, the heads of both physical and information security now report in to the same person, an enterprise CSO. The pace of change for the function is accelerating along with the ever-changing nature of threats.

Today, many believe CSOs will morph, sooner rather than later, into chief risk officers (CROs), monitoring and mitigating enterprise risks, including those relating to information security and facilities (but excluding financial risks, which are covered by the more traditional CRO function in large companies). At a high level, the new responsibilities include understanding your company's risk profile and risk appetite and then mitigating the risks accordingly.

Greg Thompson, vice president of enterprise security services and deputy CISO at Toronto's Scotia Bank, already sees his role evolving into something like head of operational risk management. Scotia is Canada's third largest bank.

"The writing is on the wall," said Thompson. "Ten years ago this role was highly operational. We had to get better at operationalizing vulnerability management and putting the right controls in place."

As a CISO in heavily regulated industry in a risk-averse country, Thompson says he is seeing ever-greater reporting requirements and more need for expertise in operational risk management. He now tracks and manages the full gamut of risks other than financial: fraud, hackers, hacktivists, breaches of privacy, configuration risk, risk of attack by nation states, reputational risk, facilities risk, IT process risk, compliance risk, supplier/service risk.

"We used to just look at these as security risk indicators. Now, they are key risk indicators. We now look beyond information security and try to understand the rest of the picture," he said, adding that the regulatory climate is driving some of this new emphasis.

The new metrics

Thompson is excited at the prospect of his role expanding, but he feels there is a lack of appropriate metrics to help him define and track enterprise risks.

"We need to find a set of metrics that speak to risk in real terms. There are things like mean time to patch, how many open audit findings. But that's not enough. Defining the measurements is the ultimate challenge," he said.

Right now, his organization is working on developing baselines that will be trustworthy markers now and in the future.

Relevant metrics are changing right along with the CSO role. Thompson has seen some risk metrics change in recent years. For example, the information security function at Scotia Bank used to use "age of vulnerability" as an indicator of the level of risk under the assumption that the longest-standing vulnerabilities were riskier than new ones. Now, the bank has matured its risk analysis not to focus on the age of the vulnerability but rather the threat agents that exist to exploit the vulnerability.

"I now consider the one that has active threats to be higher risk," said Thompson.

Thompson believes that whether or not one's title explicitly includes the "R," every CSO takes what he calls a "risk-related perspective" today, out of necessity. Verisign CSO Danny McPherson agrees, saying his approach is "intelligence-driven security." What that means is McPherson considers the context in which Verisign of Reston, Va., operates. "We want to use our best resources to make sure our high-value assets are protected," he said.

McPherson and many others believe enterprise risk management should be a cross-functional phenomenon.

"You need to break down those information silos. It's about connecting the dots for the business. How does a new product, a new press release, a new competitor --how do these affect the company's threat level, and how do we get back to an acceptable level of risk?" he said. "Given the global nature of business today, it becomes harder and harder to wrap your arms around that. How do we invest intelligently? How do we protect ourselves and our customers in the most effective way? Risk management needs to go beyond just checking off boxes that are required by regulations. "

The only way you can protect the enterprise, McPherson believes, is by understanding the context and the landscape in which your business operates.

"If you can leverage that information and collect it and provide context, you will be more agile and adaptive as a result of that. And risk level goes down."

To Scotia Bank's Thompson, given the Internet and the explosion in digital information, information security touches every aspect of business today. And he is pleased to be helping his company to take abreast of the full range of information risks its faces today.

It will surprise few that CSOs who already have a strong connection to the business are already well positioned to embrace the CRO role described here. Thompson and McPherson are both in constant contact with their business counterparts and enjoy that aspect of their jobs.

"I like to be the jack of all trades," said McPherson. "I love getting a handle on the business context and contributing to the strategic direction. It is so critical to have those feedback loops, to sit down together and challenge each other's assumptions."

McPherson said he is lucky to have executive team support to do this.

"I couldn't do it without that."

Join the CSO newsletter!

Error: Please check your email address.

Tags VeriSignsecuritycareersScotia BankIT management

More about CSO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lauren Gibbons Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place