Saturday, July 16, 2022

Just How Badly Do We Need A vCIRO? Find Out Here

 


Long before the COVID-19 pandemic, the so-called C-Suite consisted of just a few members:  The CEO, CIO, CFO, and the CMO.  Even when I was doing my MBA, these are the only titles that existed, even during the time of the .com craze. 

But fast forward now, and there have been many more C-level titles that have been added to the mix.  Pretty much all of these have to do with Cyber, so now you will find such people as a vCCO, vCPO, vBISO, vCDO, etc.

Now, there is a new one that has been added to the mix:  the vCIRO, also known as the “Chief Risk Information Officer”.  You may be scratching your head right now, pondering what this person really does? 

To be honest, this is the very first time that I have heard of this term, and I even venture to say that it is just a new piece of technojargon that has hit the Cyber industry.

But to be fair, the primary role of this person (as it appears to me) is to take charge of overseeing the level of risk that their business exposed, and from there, report to the rest of the C-Suite as well as the Board of Directors if the current level of risk is tolerable enough, or it needs to come down to where the industry norms are at.

So, the vCIRO is primarily tasked with conducting the risk assessments, taking stock of which physical and digital are most at risk to a security breach, and what kind of controls are needed to further protect them, so they are not so vulnerable. 

Traditionally, these sorts of tasks have been assigned to the vCISO and their respective IT Security team, but given how overloaded are there, this task is now being ferreted off to the vCIRO.

This morning, I read an article as to how the vCIRO role will now be different from the vCISO role.  Here are where some of the lines of division will now be at:

1)     They are much more business focused:

Although calculating risk is much more of a Cyber role, it also has a huge business role as well.  For example, you need somebody who talk this kind of language in pure simplistic terms so that the other members of the C-Suite and the Board of Directors can understand quickly.  It is important to keep in mind here that these people only speak dollars and cents, and nothing else.  They have no concept of the Cyber threat landscape, so why bore them with all of that?  So, this is where this new role is going to come into play:  To put into business terms what Cyber risk is all about, and what it means to the bottom line.

2)     The decision-making process will be made autonomous:

It has always been assumed with the CISO role that whatever he or she says will be transmitted down to the very bottom rung of the company, in a top-down fashion.  However, this will not be the case of the vCIRO.  Rather, they will be given almost total freedom to make decisions on their own, with the interest of the company as their guiding objective.  There will be no top-down reporting here, rather it will only be top up, as mentioned earlier in this blog.

3)     There will be a balance in language being used:

Right now, the CIO has been blamed for either a lack of understanding of the business side of Cyber, or that they know how to communicate only in technojargon, that nobody can understand.  In other words, there is nothing in between.  Well, it is highly expected for the vCIRO to assume this boundary, and to able to speak both sides of the fence.

4)     More metrics will be involved:

Since part of this new job title has “Risk” in it, you can count on the fact that the person who fills this role will be heavy into metrics and other forms of Key Performance Indicators (KPIs).  But they won’t be dazzled with anything that can be measured, rather their main focus will be on those metrics that matter the most, and presenting them in an understandable way to the other members of the C-Suite, and the Board of Directors.  For example, one such area will be the Mean Time To Detection, also known as the “MTTD”.  This metric merely reflects how long it takes a company to detect a security breach, and at the current time, it is well over 90 days.

5)     They will take a proactive role in the business:

The CISO has often been slammed, whether rightly or wrongly, of being too negligent of the other business activities that are happening to the other departments of the organization.  IMHO, there really the CISO has really no time for this, as they are tasked with too many things as it is.  But since the role of the vCIRO is now more limited by nature, it is assumed that he or she will take on the burden of understanding what the business (from the standpoint of Cyber) needs are across all of the Business Units (BUs).

My Thoughts On This:

Fundamentally, I think the role of the vCIRO is actually a good one.  Risk Management is taking on much more importance in the world of Cyber, and there needs to be someone who is dedicated in doing this exact thing.  But also keep in mind, that there will be a whole new slew of “v” related titles that will be coming out in Cyber.

In my view, the primary reason for this is that the days of the traditional CISO will soon be coming to end.  This will be driven by the further emergence of the vCISO.  This group of individuals are far most cost effective than hiring a CISO outright. 

Plus, these individuals have their own groups of contacts that they can bring on board as well, depending upon the needs of your project.

For instance, rather than paying a CISO a salary of $100K for one year, you can hire a vCISO with the same amount of knowledge (and probably even more) for just $20K on a fixed term contract.  Right now, it does seem awfully confusing who to turn to with all of these “v” titles that are coming up. 

So my suggestion here would be to hire vCISO first, and let them assess your current environment.

They will not waste any time here, as they know time is of the essence, and get to the heart of the matter in no time.  After they have done their assessment, then let them tell you how to move forward.  Very likely, as mentioned before, they will most likely have their own Rolodex of contacts that will be able to bring on board, rather than having you to hire these individuals separately. 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...