Can segregation of duties improve risk management?
In some cases, it makes sense to have a head of cybersecurity to lead the technology, operations and architecture teams, and a CISO to lead governance, risk, and compliance functions, according to Chirag Joshi, CISO and founder of 7 Rules Cyber consultancy. “The role of management and risk can be more interactive with the board, presenting metrics and estimates, strategy and policy,” Joshi tells CSO.
One of the SEC’s requirements is to include an annual cyber risk management plan, and this is often the role of the governance leader. They develop a strategy that is responsible for regulatory standards, but there is a need to back that up with someone who works independently and can challenge it, if needed. “Having a line of demarcation between work responsibilities and risks can be beneficial because you are more likely to be able to challenge risk choices with that independence,” says Joshi.
By elevating the role of the CISO to that of other C-suite executives, they become a strategic business advisor focused on risk management. Instead of simply answering the question ‘how do we secure this’, it provides input on how the organization should do ‘this’, which may be accepting new applications or other security considerations.
Source link