Go Inside the Evolving Role of the Security Risk Management Leader

The responsibility of the security risk management (SRM) leader is changing. Over the last decade, the role has grown to accommodate an ever-expanding digital footprint and an increasingly distributed ecosystem – both of which combine to create a massive attack surface.

Additionally, cyber risk now transcends IT to become a business risk. According to a new report, Gartner Predicts 2022: Cybersecurity Leaders Are Losing Control in a Distributed Ecosystem:

  • 88% of boards now regard cybersecurity as a business risk rather than solely a technical IT problem. 
  • By 2026, at least 50% of C-level executives' employment contracts will include cyber risk performance requirements.

In light of these factors, SRM leaders will be under even greater scrutiny by the C-suite and Gartner maintains that the role must be reframed. It’s no longer enough to say:

  • “The CISO prevents breaches”
  • “Cyber risk is security’s problem”
  • “Security is a roadblock to speed”

Instead, SRM leaders should be viewed in the context of:

  • “A leader that facilitates risk management”
  • “Cyber risk is a business risk”
  • “Security enables agile and secure products”

But how can SRM leaders align their role with these expectations? Let’s look at three best practices SRM leaders can adopt.

1. Educate the organization on cyber risk

Traditional security awareness efforts have their place. But in an increasingly distributed ecosystem – across remote locations, business units, and geographies – these approaches are failing to facilitate the right behavior.  

That’s because employees are now making decisions with cyber risk implications, often without consulting security risk management leaders. They are also faced with contradictory messages, such as the need to share information with clients or business partners versus protecting data – leaving them confused about the right thing to do.

Gartner also found that executive committees are being formed outside the purview of SRM leaders. Each of these factors contributes to an environment where SRM leaders have less direct control over many decisions that typically would fall under their purview. But it doesn’t have to be that way. 

Here are some measures Gartner recommends that SRM leaders take to educate the organization that cyber risk is business risk – and hold them accountable:

  • Influence employee behavior in novel ways: SRM leaders must recognize that providing information to employees about risk won’t change their behaviors. People are much more influenced by norms and cues in their environment and will better respond to targeted tools that influence their behaviors, such as security culture hacks, gamification, and branded security programs.
  • Establish a security charter that stipulates that board members and executive leaders won’t make unilateral decisions that could expose the organization to unacceptable risk – and ensure these individuals buy into it.
  • Formulate executive cybersecurity performance goals: SRM leaders should work with HR leaders to include these goals in executive employment contracts.

2. Elevate executive reporting

Security risk management leaders must shift their roles to shape and influence risk decisions made by executives and boards.

To do this, SRM leaders must start speaking the language of the boardroom. Instead of talking about the technical aspects of the organization’s security apparatus, such as how many intrusions the corporate firewall stopped in the last quarter, they must articulate risk in terms the C-suite and board understand. For example:

  • If successful, how will intrusions affect the business? 
  • Did a cybersecurity incident impact critical systems? 
  • What are the financial or other impacts of a cybersecurity incident?
  •  Are there any other business-impacting vulnerabilities in the IT environment?

With data-driven executive reporting capabilities, leaders can answer these questions quickly and accurately, redefining cybersecurity as a business risk discussion.

As an example, SRM leaders can provide information about the number of vulnerabilities in the company’s digital ecosystem, as well as their severity (i.e., their likelihood of contributing to a breach) so that executives and board members can make more informed decisions about where to allocate resources and investments.

But to truly speak the language of the board, SRM leaders must quantify cyber risk in financial terms and communicate the impact to the bottom line if vulnerabilities go unaddressed.

Using advanced data analytics and automation, organizations can simulate their financial exposure across hundreds of thousands of cyber events, such as ransomware, denial of service attacks, regulatory compliance issues, and supply chain attacks. 

Through these insights, SRM leaders can guide leadership discussions around cyber risk management, prioritize cybersecurity decisions, and justify new technology investments.

CISO Reporting to Board eBook

Download our “CISO's Guide To Reporting To The Board” eBook to get the scoop on metrics that matter to the board.

Download eBook
Button Arrow

3. Assess and monitor third-party security performance

Today, 62% of security breaches originate with a third-party, such as a vendor or partner. In fact, Gartner projects that 60% of organizations will factor cybersecurity risk into third-party transactions by 2025, thanks to increased regulatory oversight and rising concerns about supply chain risk. They’ll achieve this through a combination of standards, due diligence, and technology – and SRM leaders must be right in the middle of this effort.

  • Standards: SRM leaders should engage business leaders, legal counsel, and procurement teams to set cybersecurity standards and expectations of third parties for various risk scenarios. For example, using BitSight Security Ratings, CISOs can establish security performance thresholds that a third-party must achieve to be considered as a potential partner. They can even use BitSight to automatically and continuously monitor their vendors’ changing risk profiles throughout the life of these partnerships.
  • Due diligence: Not all vendors require the same level of monitoring and due diligence. Office supply vendors, for example, will not be held to the same cybersecurity standard as accounting firms who have access to sensitive systems. Instead, SRM leaders should tier vendors according to their risk and business criticality. Tier one vendors (such as an accounting firm) can then be held to a higher standard than those in a lower tier. Check out BitSight’s tier recommender service to learn more.
  • Technology: The demand for transparency into third-party security performance will spur adoption of technology solutions that drive transparency into third-party risk management (TPRM).

A reframed role brings new opportunity for security risk management leaders

As SRM leaders think about reframing their roles to facilitate greater risk management – internally and across the supply chain – there is much work to be done.

But with board and C-suite interest increasingly focused on cybersecurity, SRM leaders must seize the opportunity to increase engagement and strengthen their relationships with the executive leadership team. Forward thinking SRM leaders will also recognize this as an opportunity to demonstrate their security teams’ value as an enablers of strategic business goals. 

Learn more about how the cybersecurity leader’s role is changing and how SRM leaders can work collaboratively with other business executives, manage third-party exposure, and make better cyber risk decisions.