Skip to main content

The Evolution of Security Strategies

May 29, 2014

In my last blog post, I discussed how the role of the Chief Information Security Officer (CISO) has evolved into the Chief Information Risk Officer (CIRO), and the growing list of responsibilities associated with this evolution. This shift raises questions on how to structure reporting relationships that support open communication and collaboration between the CIRO and other areas of the business; and require the CIRO keep the board of directors informed of the risks the company is facing from security, privacy and regulatory threats.

Depending on company size, industry sector and security program maturity, different security strategies are being deployed across organizations today. The evolution of IT-based security programs, to compliance-based, to now threat and risk-based security programs illustrate the journey organizations take as their security programs mature and move toward a business-aligned program.

IT-Based Security Program This traditional approach focuses on the implementation of security technologies within the organization. The function of security is seen as a component of the IT team. The emphasis is on the infrastructure and keeping the internal systems secure.

Compliance-Based Security Program Organizations that are highly regulated focus their efforts on complying with security and privacy regulations. This is the most common program seen today; however, recent security events have shown that compliance does not equal security and it alone is not an effective strategy.

Risk-Based Security Program The best security programs are business-aligned. It is critical for organizations to understand the goals and objectives of the company and recognize the threats they face that hinder those objectives. Different organizations face different threats based on specific attributes. For example, a highly public-facing organization will have a greater likelihood of a DDoS attack than others, while organizations with significant size and complexity will have a larger probability of an APT attack. Combining the business goals, risks and threats is the key to developing a highly effective information risk program.

As organizations move toward this risk-based security approach, the CIRO will have many responsibilities that are not directly related to information technology. This is why it is necessary to shift away from the traditional reporting structure (where the CISO reports to the CIO) so that the CIRO is in a position to communicate directly to the board and other key executives in order to support the ongoing risk management of the organization. In my next blog post I will explore these reporting models and the benefits of this emerging structure.


Related Blogs

January 17, 2018

The Aftermath of Meltdown and Spectre: Now What?

The recent unveiling of the widely reported Meltdown and Spectre attacks, which exploit critical vulnerabilities in modern processors, sent many withi...

See Details

October 25, 2017

GDPR Part 1: A Legal, IT, or Information Security Issue?

The General Data Protection Regulation (GDPR) is a new regulation affecting organizations that reside in the European Union (EU) or merely transmit EU...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

May 25, 2017

Having an Identity Crisis? CISO’s Need to Own IAM

Within any company, we can find owners for every key function throughout the enterprise. If we ask, “who is in charge of human resources?” we know the...

See Details

May 10, 2017

PCI Compliance Every Day

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the relea...

See Details

June 27, 2017

The Most Important Threats for Your Organization to Watch

The Optiv Cyber Threat Intelligence Estimate 2017 is a yearly report that reviews important events of the past calendar year, and uses them to make pr...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.