Skip to main content

Shifting Information Risk Management Out of IT | Optiv

May 30, 2014

In my previous blog posts, I discussed how the role of the CISO is changing due to the additional responsibilities that come with managing the risk of information regardless of where it resides, and the shift in security strategies. It is important to understand this background information as it frames the discussion for moving the new Chief Information Risk Officer (CIRO) role out if IT and in line with the other “C” suite roles.

Before we dive into reporting models, it is worth noting that there is no right answer when it comes to organizational structure. The primary considerations are the corporate culture, industry sector and organization size. Smaller organizations are unlikely to have an entirely separate security or information risk function, while it is common in larger organizations. That said, the trend is to move security out of IT department and into a reporting structure that supports the ongoing risk management of the organization. The mission is no longer to only secure the data, but to now manage the risk the data is presenting.

Traditionally the CISO has reported directly to the CIO. Figure 1 below shows this reporting structure.


CISO Structure

Figure 1 - Traditional CISO Reporting Structure

In this model, security operations fall under the CISO. This is a technical function that includes security architecture, technology systems integration, configuration, vulnerability management and monitoring. This focus on deploying and managing technology is contrary and conflicting at times with managing information risk. The role of the CIO is to deploy technology systems and the role of the traditional CISO is to focus on protecting the information – this can cause a natural conflict of interest between the two leaders. It is a good practice for organizations to divide the responsibilities for managing operational availability from managing information security.

To overcome these challenges, a new model has emerged that breaks down the different roles of the security team and provides lines of communication so that the right individuals can be informed and consulted, and actions can be made to lessen information risk. Figure 2 below illustrates the emerging CIRO reporting structure.


CIRO Structure

Figure 2 - Emerging CIRO Reporting Structure


In this model, there are additional responsibilities for third-party risk and regulatory risk management under the CIRO, illustrating that they are accountable for managing the risk of the information regardless of where it resides. This is also different from the traditional model in that the CIRO is a key member of the executive staff and has a direct line of communication with the board. The roles of the security team are also broken out in this model:

CIRO – specializes in translating business initiatives into security and risk management requirements and programs that must be implemented to support the corporation’s goals and objectives; collaborates with the executive team to ensure timely and appropriate progress; communicates to the board the current information risks facing the organization and how those risks are being managed overtime; manages the Security IT Leader and Business Security Leader.

Security IT Leader –specializes in technical security issues including security architecture, engineering, and security operations and monitoring, network and web application firewalls, intrusion prevention, data leakage and other security technology systems; manages the technical security requirements such as configuration and vulnerability management; responsible for scanning networks, systems and applications for vulnerabilities; has a direct line of communication to the CIO to collaborate with the IT team.

Business Security Leader – focused on the business requirements and enabling the business to meet their objectives; acts as the liaison between the business and the information security group; responsible for the overall compliance of the business to the established security policies and requirements; ensures that projects within the business have integrated security so there are no delays when implementing new initiatives; coordinates with IT Security Leader about any security implementations, performs audits or penetration tests of business assets; has a direct line of communication to the Business Unit Manager so that security is a priority in every line of business within the organization.

Depending on the company culture, business structure and other factors, the model can also be modified so that the Security IT Leader reports directly to the CIO and/or the Business Security Leader reports directly to the Business Unit Manager. Either way the responsibilities remain the same and the important factor is having the communication and collaboration between the different groups mapped out above.


Some of the major benefits of this new model over the traditional are that it:

  • Aligns the information risks with the business priorities;
  • Supports the shared responsibilities of information risk (information security is not a IT problem, it is a business problem); and,
  • Includes the full spectrum of information risks that organizations are facing today and provides a reporting structure to gain visibility and implement the strategy.

I do not claim that the above model is a one size fits all, but it does give a general layout of how to structure an effective information risk management approach. When implementing a version of this structure to your own organization my recommendations are to:

  1. Start Slow – First align the reporting structure to meet the needs of the business, and then add the additional responsibilities of the full suite of information risk over time.
  2. Start Now – The material risk of information to the corporation has never been higher and doing nothing is not an option.

The role of information security officer is changing, but like all major shifts in culture and organization, this transformation will not happen overnight. In fact, the role of the CISO is not 100% accepted in organizations today – a role that has existed for over two decades. But when a security leader with the proper skills and a structure that supports their success is in place, the organization will be better positioned to level the battle field against threat agents and protect their company from attacks.


Related Blogs

April 10, 2013

What I Know About Risk Management I Learned from Surfing

Surfing is risky business. There are uncertainties and sometimes danger. The costs can be serious injury, maybe death. However, the rewards can be hig...

See Details

January 17, 2018

The Aftermath of Meltdown and Spectre: Now What?

The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many withi...

See Details

July 06, 2017

Indicators of Compromise (IOCs) are Not Intelligence

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence b...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


February 02, 2012

Risk Management Business Case | Optiv

This is something we’ve seen a number of clients struggle with over the years. There really is a strong need to include risk management as one compone...

See Details

May 18, 2017

Don't Forget Basic Security Measures, Experts Say

DarkReading | May 18, 2017 Some security leaders argue there is little point in worrying about emerging threats when businesses can't defend against ...

See Details

November 12, 2014

Empowering the CISO

A security-focused business culture can empower the CISO to effectively perform their job, and allow them to become a respected member of the “C” leve...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.