The Evolution of the CISO to CIRO

The Evolution of the CISO to CIRO

Over the past five years the role of the Chief Information Security Officer (CISO) has changed dramatically, and will probably go through an even more dramatic change during the next five.


The CISO typically had a technical role, coming up through the ranks with an IT background, and then moved into security. Their main job function was the implementation of security technologies within the organization; the emphasis was on the infrastructure and keeping the internal systems secure. As the “S” in CISO implies – the focus was on security.


Over the past few years, the focus of the CISO has expanded beyond the security of the enterprise and should now concentrate on managing the risk of the information, regardless of where it resides. Today’s CISO has evolved into the Chief Information Risk Officer (CIRO), with a growing list of responsibilities – including all or some of the below, depending on the industry and company demographics.


Information Risk Management – A CIRO needs to understand the threats to the organization’s information and business operations, from all aspects. The security strategy should be focused on enabling the business and minimizing the risk to the information.


Regulatory Compliance Management – Almost every industry is subject to a set of industry specific security and privacy regulations; and most large companies operate businesses outside the US with their own regulatory requirements. The CIRO needs to understand the laws within the jurisdictions they operate, working with their legal and regulatory compliance teams to implement the necessary protections and processes to demonstrate compliance with the law.


Third-Party Risk Management – It is important for a CIRO to identify the information that is flowing outside the organization and the third-parties that provide services impacting business operations. The proliferation of outsourcing and cloud providers has made this responsibility more critical than ever. The CIRO must be able to establish a process for measuring and managing the risk of these external entities and quantify the risk to the overall business.


Business Acumen – The CIRO must have a keen understanding of technology and be an excellent communicator in business terms. They need to be able to translate the complexities of the entire security ecosystem into a language executive leadership and board members understand. Their success is measured by their ability to communicate the organization’s current level of information risk and how it is managing the risk over time, putting security and privacy projects into terms of value to the organization.


There will be a growing number of CIROs in the future, with a mission to manage the information risk of the organization across all aspects and locations. For many companies, the position of the CIRO is moving out of IT and more in line with the other “C” suite roles. This raises some questions on reporting structures, which I will cover in my next blog post.