More businesses are appointing a chief information risk officer (CIRO) and it is expected to become a full-time professional position.
Andrew Fitzmaurice, CEO of Templar Executives, said that often the board do not see the benefit of information security until it is presented to them and they see that it can affect share prices and their corporate edge.
Therefore the “board level champion” position of the CIRO has emerged who has a CISO reporting to them and replacing the CIO at the board level.
He said: “We train at board level and target COOs, finance directors and senior people who may run massive projects running widgets as everyone should know that security is so important and should know the business importance.
“We come across CEOs who have no idea of what an 18 year old with a Smartphone is doing but if they understand the threats or benefits then that can be significant. For a lot of CEOs it is quite a steep learning process and some really take an interest and some are really shocked at what is going on and we can advance their learning.”
This, Fitzmaurice explained, has led to more staff being given the position of CIRO in both the FTSE 100 and in Government, as often the CIO is not on the board and is several levels below, so from an awareness point of view this can be valuable.
“Security can scare some people, while some are anaesthetised to it, but if we give them the benefits and use cases where it has been embraced, they can see the competitive edge,” he said. “In this sector we see a lot of ‘woe is me’ among security professionals where they do not get where they want and heads go down, but if you work with business information and focus on protecting it, then the CEO is more interested as it is about the competitive edge.”
Following the company achieving CESG accreditation for its training courses recently, Fitzmaurice said that it reaches the CIRO more as they get to the board as they are well supported throughout the business. “They push out best practice to the board and the non-executive directors and doing training for them,” he said.
He explained that the CIRO is an appointed role at the moment, with someone carrying it as a secondary position, but he could see it becoming more of a professional position. “Think of it as a proper risk appetite,” he said. “They did it in Government as they work with the board and if they are working with 100 asset managers, they could be very busy. We are training for it, and I reckon there could be around 150-200 already within the UK.”
Brian Honan, CEO of BH Consulting, told IT Security Guru that he has seen the information security role being moved under the risk function within a company, and the CISO report to the chief risk officer more commonly.
“Indeed, we provide an outsourced CRO service for a number of our clients,” he said. “As we operationalise and outsource more and more of the IT security tasks, the information security professional role will develop from being technically focused to one focusing on managing the risks for a business.
“As such the role of chief risk officers will develop and grow. However, this will happen in companies that have a mature security program in place and are capable of looking at information security at a strategic rather than an operational or reactive level.”