For years, cyber security has been the province of IT specialist and technicians. Those days are long gone. If you ask a Board of Directors to identify a company’s most significant risk – cyber security is tops.
That is no big surprise. When you consider the consequences of a cyber intrusion or a more likely breach, companies suffer serious reputational and financial harm. Directors, senior executives and compliance officers should be concerned about cyber security.
But what is the role of the Chief Compliance Officer in cyber security risk management?
A CCO is not the sole owner, or even the most significant owner, of cyber security risk management. The Chief information Security Officer (CISOs) owns the risk. However, the CCO should be a strategic partner to the cyber security risk management program.
CCOs bring unique talents – policy management, monitoring and audit programs – which are all helpful to overall cyber security risk management. As a partner, a CCO is invaluable to the cyber security compliance program.
CISOs need CCOs and vice versa. Corporate attention to cyber security is increasing rapidly. Corporate boards and senior managers are supporting cyber security programs, and budgets for cyber security compliance are increasing.
Cyber security risk management is extremely difficult to manage because of the rapidly changing technological environment and evolving threats. Companies are altering cyber security strategies from reactive to proactive risk management.
Like all compliance issues, cyber security depends on business ownership of the risk and compliance with information procedures. CISOs and CCOs work together to support and promote cyber security risk management. Cyber security procedures and controls have to be embraced by the business managers and employees. Internal auditors play a key role in monitoring and auditing the program.
A convenient way to delineate responsibilities is for CISOs to take primary responsibility for information security tools, while CCOs assume responsibility for surrounding policies and procedures. CISOs and CCOs have to define third party responsibilities and appropriate responses to a data breach.
While the stakes are high, and the technology issues can be challenging, it is important to remember that existing compliance tools and strategies can be used to reduce cyber security risks. Just as in other contexts, compliance requires risk assessments, design of policies, procedures and controls in response to identified risks. A cyber security compliance program requires auditing and monitoring procedures in order to continuously improve the compliance program.
Information management requires adherence to security protocols and restricting access to authorized users. An effective cyber security program depends on company adherence to protocols for access to types of information. Cyber security depends on strengthening internal policies, procedures, as well as monitoring and auditing procedures.
In the end, cyber security risk management requires a CISO and CCO partnership. This new, evolving relationship is important to ensure cyber security risk management, and will ultimately hep CCOs to gain their rightful standing in a company, as a subject-matter expert in compliance and risk management.