Skip to main content

The Evolution of the CISO to CIRO

May 09, 2014

Over the past five years the role of the Chief Information Security Officer (CISO) has changed dramatically, and will probably go through an even more dramatic change during the next five.

The CISO typically had a technical role, coming up through the ranks with an IT background, and then moved into security. Their main job function was the implementation of security technologies within the organization; the emphasis was on the infrastructure and keeping the internal systems secure. As the “S” in CISO implies – the focus was on security.

Over the past few years, the focus of the CISO has expanded beyond the security of the enterprise and should now concentrate on managing the risk of the information, regardless of where it resides. Today’s CISO has evolved into the Chief Information Risk Officer (CIRO), with a growing list of responsibilities – including all or some of the below, depending on the industry and company demographics.

Information Risk Management – A CIRO needs to understand the threats to the organization’s information and business operations, from all aspects. The security strategy should be focused on enabling the business and minimizing the risk to the information.

Regulatory Compliance Management – Almost every industry is subject to a set of industry specific security and privacy regulations; and most large companies operate businesses outside the US with their own regulatory requirements. The CIRO needs to understand the laws within the jurisdictions they operate, working with their legal and regulatory compliance teams to implement the necessary protections and processes to demonstrate compliance with the law.

Third-Party Risk Management – It is important for a CIRO to identify the information that is flowing outside the organization and the third-parties that provide services impacting business operations. The proliferation of outsourcing and cloud providers has made this responsibility more critical than ever. The CIRO must be able to establish a process for measuring and managing the risk of these external entities and quantify the risk to the overall business.

Business Acumen – The CIRO must have a keen understanding of technology and be an excellent communicator in business terms. They need to be able to translate the complexities of the entire security ecosystem into a language executive leadership and board members understand. Their success is measured by their ability to communicate the organization’s current level of information risk and how it is managing the risk over time, putting security and privacy projects into terms of value to the organization.

There will be a growing number of CIROs in the future, with a mission to manage the information risk of the organization across all aspects and locations. For many companies, the position of the CIRO is moving out of IT and more in line with the other “C” suite roles. This raises some questions on reporting structures, which I will cover in my next blog post.


Related Blogs

March 08, 2018

Part 2: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

In part 1 of this series, we provided insights responding to the frequent question regarding control frameworks and their place in the security strate...

See Details

February 28, 2018

Part 1: Frameworks in Context: The Business-Aligned Information Security Program and Control Frameworks

During hundreds of strategy, risk and compliance engagements, Optiv’s consultants often have been asked very thoughtful and deep questions about contr...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.