Long before the COVID-19 pandemic, the so-called C-Suite
consisted of just a few members: The CEO,
CIO, CFO, and the CMO. Even when I was
doing my MBA, these are the only titles that existed, even during the time of the
.com craze.
But fast forward now, and there have been many more C-level
titles that have been added to the mix.
Pretty much all of these have to do with Cyber, so now you will find
such people as a vCCO, vCPO, vBISO, vCDO, etc.
Now, there is a new one that has been added to the mix: the vCIRO, also known as the “Chief Risk Information
Officer”. You may be scratching your head
right now, pondering what this person really does?
To be honest, this is the very first time that I have heard
of this term, and I even venture to say that it is just a new piece of technojargon
that has hit the Cyber industry.
But to be fair, the primary role of this person (as it appears
to me) is to take charge of overseeing the level of risk that their business
exposed, and from there, report to the rest of the C-Suite as well as the Board
of Directors if the current level of risk is tolerable enough, or it needs to
come down to where the industry norms are at.
So, the vCIRO is primarily tasked with conducting the risk
assessments, taking stock of which physical and digital are most at risk to a
security breach, and what kind of controls are needed to further protect them,
so they are not so vulnerable.
Traditionally, these sorts of tasks have been assigned to the
vCISO and their respective IT Security team, but given how overloaded are
there, this task is now being ferreted off to the vCIRO.
This morning, I read an article as to how the vCIRO role will
now be different from the vCISO role.
Here are where some of the lines of division will now be at:
1)
They are much more business focused:
Although calculating risk is much more
of a Cyber role, it also has a huge business role as well. For example, you need somebody who talk this
kind of language in pure simplistic terms so that the other members of the
C-Suite and the Board of Directors can understand quickly. It is important to keep in mind here that these
people only speak dollars and cents, and nothing else. They have no concept of the Cyber threat landscape,
so why bore them with all of that? So,
this is where this new role is going to come into play: To put into business terms what Cyber risk is
all about, and what it means to the bottom line.
2)
The decision-making process will be made autonomous:
It has always been assumed with the
CISO role that whatever he or she says will be transmitted down to the very bottom
rung of the company, in a top-down fashion.
However, this will not be the case of the vCIRO. Rather, they will be given almost total
freedom to make decisions on their own, with the interest of the company as
their guiding objective. There will be
no top-down reporting here, rather it will only be top up, as mentioned earlier
in this blog.
3)
There will be a balance in language being
used:
Right now, the CIO has been blamed
for either a lack of understanding of the business side of Cyber, or that they
know how to communicate only in technojargon, that nobody can understand. In other words, there is nothing in
between. Well, it is highly expected for
the vCIRO to assume this boundary, and to able to speak both sides of the fence.
4)
More metrics will be involved:
Since part of this new job title
has “Risk” in it, you can count on the fact that the person who fills this role
will be heavy into metrics and other forms of Key Performance Indicators
(KPIs). But they won’t be dazzled with
anything that can be measured, rather their main focus will be on those metrics
that matter the most, and presenting them in an understandable way to the other
members of the C-Suite, and the Board of Directors. For example, one such area will be the Mean Time
To Detection, also known as the “MTTD”. This
metric merely reflects how long it takes a company to detect a security breach,
and at the current time, it is well over 90 days.
5)
They will take a proactive role in the business:
The CISO has often been slammed, whether
rightly or wrongly, of being too negligent of the other business activities that
are happening to the other departments of the organization. IMHO, there really the CISO has really no
time for this, as they are tasked with too many things as it is. But since the role of the vCIRO is now more
limited by nature, it is assumed that he or she will take on the burden of understanding
what the business (from the standpoint of Cyber) needs are across all of the Business
Units (BUs).
My Thoughts On This:
Fundamentally, I think the role of the vCIRO is actually a
good one. Risk Management is taking on
much more importance in the world of Cyber, and there needs to be someone who is
dedicated in doing this exact thing. But
also keep in mind, that there will be a whole new slew of “v” related titles that
will be coming out in Cyber.
In my view, the primary reason for this is that the days of the
traditional CISO will soon be coming to end.
This will be driven by the further emergence of the vCISO. This group of individuals are far most cost
effective than hiring a CISO outright.
Plus, these individuals have their own groups of contacts that
they can bring on board as well, depending upon the needs of your project.
For instance, rather than paying a CISO a salary of $100K
for one year, you can hire a vCISO with the same amount of knowledge (and probably
even more) for just $20K on a fixed term contract. Right now, it does seem awfully confusing who
to turn to with all of these “v” titles that are coming up.
So my suggestion here would be to hire vCISO first, and let
them assess your current environment.
They will not waste any time here, as they know time is of the
essence, and get to the heart of the matter in no time. After they have done their assessment, then
let them tell you how to move forward.
Very likely, as mentioned before, they will most likely have their own
Rolodex of contacts that will be able to bring on board, rather than having you
to hire these individuals separately.
No comments:
Post a Comment