Is it time to split the CISO role?

Could separation of certain functions improve risk management?

In other circumstances, it makes sense to have a head of cybersecurity to lead the technical, operations and architecture teams, and a CISO to lead governance, risk, and compliance functions, according to Chirag Joshi, CISO and founder of 7 Rules Cyber consultancy. “The governance and risk role could have more engagement with the board, presenting the metrics and measurements, strategy and policy,” Joshi tells CSO.

One of the SEC requirements is filing the annual cyber risk management program, and this is usually the role of the governance leader. They build a strategy that accounts for control measurements, but there’s a need to support that with someone who’s functionally independent and able to challenge it, when necessary. “Having a line of separation between operational and risk responsibilities can be beneficial because there’s more likelihood of being able to challenge the risk choice with that independence,” Joshi says.

By elevating the CISO role to that of other C-suite executives, they become a strategic business adviser focused on managing risk. Instead of simply answering the question ‘how we secure this’, it’s having input into whether the organization should be doing ‘this’, which might be adopting new applications or other security considerations.