Data Insights Report
Uncovering Concentration Risks in the Supply Chains of Transport
Chief Information Security Officers (CISOs) play a crucial role in today's fast-paced digital landscape. Traditionally, organisations have viewed CISOs as the guardians of cyber security, often burdening them with the entire responsibility for risk management. This approach extends to Third-Party Risk Management (TPRM) programmes and broader cyber security initiatives.
However, we must embrace a paradigm shift as cyber threats grow more sophisticated and intertwine with business operations. The notion that CISOs should solely own all cyber security and third-party risks needs to be reevaluated, as it actively harms an organisation's overall security posture.
This article explores why CISOs must transition from being sole risk owners to becoming facilitators of risk management across the entire organisation. This shift doesn't diminish the importance of the CISO; rather, it enhances the effectiveness of risk management by involving all parts of the business, and increasing overall accountability for a shared problem.
For years, many organisations have placed the full weight of cyber security risk ownership on their CISOs' shoulders. This traditional view positions the CISO as the ultimate guardian against cyber threats, tasking them with identifying, assessing, and mitigating all risks related to information security.
While this approach seems logical at first glance - after all, CISOs are the cyber security experts - it brings several significant drawbacks that hinder effective and company-wide cyber risk management.
One major issue with CISOs as sole risk owners is the increasing need to fully understand the wider business context. CISOs are increasingly tasked to go beyond just technical expertise and develop a deep understanding of their organisation's business, strategy, and objectives. This allows them to align security initiatives with business goals and translate security into business impact. Effective CISOs can communicate security risks and needs in business terms that resonate with executives and board members. This includes explaining how security investments are supporting wider business objectives.
CISOs are also expected to build strong relationships across the organisation, including with business unit leaders, to understand their needs and gain buy-in for security initiatives. As a result, CISOs effectively have to contribute to business strategy discussions and position security as an enabler of business growth, not just a cost centre. Moreover, in-depth industry knowledge is key for CISOs to understand their company's competitive landscape and regulatory environment, to tailor security strategies appropriately. In essence, a CISOs role has increasingly transitioned from having a primarily technical focus to also encompassing a strategic business leadership element.
While this has been a necessary development overall, it also places an unfair burden on the shoulders of CISOs, that is next to impossible to fulfil, having led to a situation where the average tenure of a CISO at one company is approximately only 1.5 to 4 years at best.
Sole risk ownership by CISOs can also create a "security silo", especially if buy-in and strong relationships and mutual understanding can’t be secured across the organisation, and especially with business unit leaders. In this case, cyber security becomes isolated from the rest of the organisation, operating independently rather than as an integrated part of the business and making it next to impossible for CISOs and their teams to integrate security considerations deeply into the wider organisation, rendering security solutions purely technical and less effective overall.
With other teams viewing security as a roadblock rather than an enabler, this can lead to resistance against security measures or, worse, attempts to bypass them, especially when business unit leaders do not have to face the music if something goes wrong.
The most compelling argument against sole risk ownership by CISOs is that effective cyber security and TPRM require a company-wide effort. Cyber risks don't exist in isolation and are not purely technical - they intertwine with every aspect of your business operations.
Consider shadow IT, where employees use unauthorised software or services in different teams without communicating this to their security teams. This significant security risk isn't manageable by the CISO alone. Team leaders must take responsibility for their teams' training, risk awareness, and behaviour. They also need to manage their use of external vendors and tools and communicate effectively with TPRM teams to prevent shadow IT from proliferating.
The same is true more generally with instilling a culture of security and best practice across the wider organisation, which occasional security training sessions imposed by security teams on other business units won’t resolve.
To move away from the model of CISOs as sole risk owners, the CISO role must inevitably evolve. This shift doesn't diminish the importance of CISOs. It still elevates them to a more strategic position within the organisation, but the responsibility for security must be shared with the board and business unit leaders to be effective.
CISOs transition from owners of all cyber security risk to facilitators and advisors in this new paradigm. They take on a more collaborative role, working with different departments to help them understand and manage their cyber security risks, and working in tandem with them to identify the right mix between security and business efficiency, while also bringing this in line with wider enterprise business and risk strategies.
As facilitators, CISOs create a culture of security awareness across the organisation. They break down the security silo, ensuring that cyber security considerations weave into the fabric of every business decision.
For example, instead of dictating security policies from the top down, a CISO in this new role works with other teams to understand their needs and helps them develop security practices that protect proprietary and customer data without hindering their ability to engage with clients effectively.
A vital aspect of this evolving role involves empowering business units to take ownership of their risks. This doesn't mean leaving them to fend for themselves, but rather providing them with the tools, knowledge, and support they need to effectively manage their specific risk landscapes.
The CISO can collaborate with the HR department to develop security training programmes tailored to different company roles. They also collaborate with the procurement team to establish guidelines for assessing the security posture of potential vendors specific to different teams, and ensures that processes for onboarding new vendors are harmonised across the business and that security teams have a direct role in the process.
Since the success of your cyber security and TPRM programmes depends on support from top-level management and directors, and requires buy-in and collaboration from every department, a sensible way forward would be to establish a cross-organisational Cyber Security and TPRM Oversight Committee.
Clear inter-departmental communication is crucial to ensure all aspects of the programme are aligned.
While CISOs step back from sole risk ownership, their expertise remains as crucial as ever, as is the expert guidance they can provide to help other departments navigate complex cyber security landscapes.
This involves:
By sharing their knowledge and experience, CISOs elevate the overall security posture of the entire organisation, creating a more resilient and security-aware business environment.
Now that we understand why CISOs shouldn't be the sole risk owners and how their role evolves, let's zone in on how to implement a distributed risk ownership model. This approach spreads the responsibility for managing cyber security risks across the organisation, creating a more effective risk management framework and culture.
The first step in implementing a distributed risk ownership model involves identifying the key stakeholders who should participate in managing cyber security risks as part of a cross-organisational Cyber Security and TPRM Oversight Committee. This extends beyond just the IT department and includes representatives from all business units:
After identifying your stakeholders, clearly define roles and responsibilities within the new risk management framework. This ensures everyone understands their part in maintaining the organisation's security posture.
Key roles include:
A solid risk governance framework is essential for the success of a distributed risk ownership model. This framework, which should be developed by the CISO, but in consultation with the other members of the Oversight Committee, should outline:
For a distributed risk ownership model to work, everyone involved needs a basic understanding of cyber security principles and risk management practices. This is where the CISO's role as an educator becomes especially crucial.
Implement:
Any significant change in organisational structure or processes faces resistance. It's important to anticipate and address this proactively.
Strategies to overcome resistance include:
Shifting from a CISO-centric risk ownership model to a distributed approach offers numerous benefits. Let's explore how this change positively impacts your organisation's risk management effectiveness and overall business performance.
One of the most significant benefits of distributed risk ownership is improving risk awareness and enhanced personal responsibility throughout the organisation for keeping company, staff and client data as well as internal systems safe. When cyber security becomes everyone's responsibility, employees at all levels become more attuned to potential threats and vulnerabilities.
This heightened awareness leads to:
When risk ownership is distributed, decision-making around security issues becomes more informed and contextual. Instead of being made in isolation by the CISO and their teams, security decisions are now made with input from the people who understand each department's day-to-day operations.
This leads to:
Distributing risk ownership improves awareness and decision-making and enhances the overall effectiveness of risk management efforts. By involving more people and perspectives in the risk management process, you create a more comprehensive approach to security.
Benefits include:
For example, a distributed model helps you identify and address risks in your supply chain more effectively, as procurement teams work closely with security experts to vet and monitor vendors.
One of the most valuable long-term benefits of distributed risk ownership is creating a strong security culture within your organisation. When security becomes everyone's responsibility, it shifts from being seen as a necessary evil to an integral part of business operations.
This cultural shift leads to:
As we've explored throughout this article, the traditional model of CISOs as sole owners of cyber security risks fails to meet the needs of today's complex digital threat landscape. The shift towards a distributed risk ownership model offers a more effective and resilient approach to managing cyber security threats facing organisations.
In this new paradigm, the CISO's role becomes more strategic, evolving from being the sole guardians of security to becoming facilitators, advisors, and educators, helping to elevate the security capabilities of the entire organisation.
As cyber threats evolve and become more complex, organisations embracing this shared responsibility model will protect themselves, their customers, and their assets more effectively.
The next step? If you're a CISO, initiate conversations with other department heads about how they can take a more active role in managing cyber security risks. If you're in another leadership role, reach out to your CISO about how you can become more involved in protecting your organisation.
The future of effective cyber security lies in shared responsibility. Take the first step today.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
