Why Shift Information Risk Management Out of IT?

By James Christiansen ·

In my previous blog posts, I discussed how the role of the CISO is changing due to the additional responsibilities that come with managing the risk of information regardless of where it resides, and the shift in security strategies. It is important to understand this background information as it frames the discussion for moving the new Chief Information Risk Officer (CIRO) role out if IT and in line with the other “C” suite roles.

Before we dive into reporting models, it is worth noting that there is no right answer when it comes to organizational structure. The primary considerations are the corporate culture, industry sector and organization size. Smaller organizations are unlikely to have an entirely separate security or information risk function, while it is common in larger organizations. That said, the trend is to move security out of IT department and into a reporting structure that supports the ongoing risk management of the organization. The mission is no longer to only secure the data, but to now manage the risk the data is presenting.

Traditionally the CISO has reported directly to the CIO. Figure 1 below shows this reporting structure.


CISO Structure

Figure 1 - Traditional CISO Reporting Structure

In this model, security operations fall under the CISO. This is a technical function that includes security architecture, technology systems integration, configuration, vulnerability management and monitoring. This focus on deploying and managing technology is contrary and conflicting at times with managing information risk. The role of the CIO is to deploy technology systems and the role of the traditional CISO is to focus on protecting the information – this can cause a natural conflict of interest between the two leaders. It is a good practice for organizations to divide the responsibilities for managing operational availability from managing information security.

To overcome these challenges, a new model has emerged that breaks down the different roles of the security team and provides lines of communication so that the right individuals can be informed and consulted, and actions can be made to lessen information risk. Figure 2 below illustrates the emerging CIRO reporting structure.


CIRO Structure

Figure 2 - Emerging CIRO Reporting Structure


In this model, there are additional responsibilities for third-party risk and regulatory risk management under the CIRO, illustrating that they are accountable for managing the risk of the information regardless of where it resides. This is also different from the traditional model in that the CIRO is a key member of the executive staff and has a direct line of communication with the board. The roles of the security team are also broken out in this model:

CIRO – specializes in translating business initiatives into security and risk management requirements and programs that must be implemented to support the corporation’s goals and objectives; collaborates with the executive team to ensure timely and appropriate progress; communicates to the board the current information risks facing the organization and how those risks are being managed overtime; manages the Security IT Leader and Business Security Leader.

Security IT Leader –specializes in technical security issues including security architecture, engineering, and security operations and monitoring, network and web application firewalls, intrusion prevention, data leakage and other security technology systems; manages the technical security requirements such as configuration and vulnerability management; responsible for scanning networks, systems and applications for vulnerabilities; has a direct line of communication to the CIO to collaborate with the IT team.

Business Security Leader – focused on the business requirements and enabling the business to meet their objectives; acts as the liaison between the business and the information security group; responsible for the overall compliance of the business to the established security policies and requirements; ensures that projects within the business have integrated security so there are no delays when implementing new initiatives; coordinates with IT Security Leader about any security implementations, performs audits or penetration tests of business assets; has a direct line of communication to the Business Unit Manager so that security is a priority in every line of business within the organization.

Depending on the company culture, business structure and other factors, the model can also be modified so that the Security IT Leader reports directly to the CIO and/or the Business Security Leader reports directly to the Business Unit Manager. Either way the responsibilities remain the same and the important factor is having the communication and collaboration between the different groups mapped out above.


Some of the major benefits of this new model over the traditional are that it:

  • Aligns the information risks with the business priorities;
  • Supports the shared responsibilities of information risk (information security is not a IT problem, it is a business problem); and,
  • Includes the full spectrum of information risks that organizations are facing today and provides a reporting structure to gain visibility and implement the strategy.

I do not claim that the above model is a one size fits all, but it does give a general layout of how to structure an effective information risk management approach. When implementing a version of this structure to your own organization my recommendations are to:

  1. Start Slow – First align the reporting structure to meet the needs of the business, and then add the additional responsibilities of the full suite of information risk over time.
  2. Start Now – The material risk of information to the corporation has never been higher and doing nothing is not an option.

The role of information security officer is changing, but like all major shifts in culture and organization, this transformation will not happen overnight. In fact, the role of the CISO is not 100% accepted in organizations today – a role that has existed for over two decades. But when a security leader with the proper skills and a structure that supports their success is in place, the organization will be better positioned to level the battle field against threat agents and protect their company from attacks.