In a convergence culture, accountability for risk is accepted across the organization, and when that happens, risk management becomes a priority to the business, informing strategy and objectives.
Five years ago, less than 25 percent of CSOs or CISOs reported to a CEO (.pdf here). Today, that number has tripled, reporting not just to CEOs, but also a board, chief legal counsel or a CFO.
The role has become one of torchbearer, communicating with their executive counterparts about the issues that could affect the company’s ability to conduct business. By helping identify and mitigate risk across finance, operations and IT, the CISO puts security in context of what could affect profit. And that’s language any CEO understands.
Security is a governance issue, and a vital part of the mission of business. As Roland Cloutier, Vice President and Chief Security Office for ADP Worldwide, stated in a recent interview with Tripwire, the “security organization can never be the lone risk acceptor, because it means there will be little buy-in to risk across the company.”
For more background on connecting security to the business, check out the article on The Convergence of Information Security and Risk Management.
Image courtesy of ShutterStock