The Chief Information Security Officer (CISO) plays a critical role in addressing an organisation’s cybersecurity risks. A growing consensus asserts that the CISO should act as a risk advisor, not a risk owner. This distinction is critical in fostering an effective cybersecurity program and ensuring that risks are managed by the right people.

The CISO’s Role as a Risk Advisor

The core responsibility of a CISO is to advise on cybersecurity risks that threaten the organization. They identify, assess, and communicate these risks to business leaders, ensuring that each risk is understood in the context of the organization’s strategic objectives. However, risk management often spans multiple areas of the business. The CISO oversees these areas from a security perspective but does not control these areas operationally. Consequently, the CISO should be considered as a guide to business units without bearing the ultimate responsibility for owning the risk itself.

Why CISOs Should Not Be Risk Owners

The reasoning behind separating the roles of advisor and owner is simple: ownership of risk typically rests with the people who can take action to mitigate or transfer it. Business units and CXOs have the ability to make decisions that directly impact their areas of operation. On the other hand, a CISO’s expertise is in assessing and advising on risks, not in controlling business processes outside the security domain. This creates a conflict when the CISO is expected to own risks that they do not have the authority to mitigate or influence fully.

Treating a CISO as a risk owner misaligns responsibilities. It shifts focus away from their role as an impartial assessor of risk and forces them to make decisions that could be better handled by business leaders.

Convincing the Executive Leadership: CISO as Advisor

One of the most important tasks for a CISO is to convince the executive leadership, including the CEO, that they should function as a risk advisor. This begins with clear communication about the limitations of the CISO’s authority. For instance, while the CISO can advise on the potential consequences of a cyberattack or a data breach, they may not be able to dictate operational changes in areas like supply chain management or customer service that fall under other business units (in some cases they can, provided they can back it up with solid data).

The CISO must work closely with executives to define their role in the risk management framework. This includes explaining that cybersecurity risks intersect with broader business risks, such as financial and operational risks, which need to be managed by respective departments.

Establishing a Risk Ownership Charter

The CISO can advocate for the establishment of a clear charter where risk ownership is formally assigned to business unit heads or other CXOs who are equipped to handle specific types of risks. Such a charter would detail the distribution of responsibilities across the organization, specifying that business unit leaders are responsible for risks tied to their functions. The CISO, in turn, serves as a consultant, providing insights and guidance on cybersecurity risks but leaving the decision-making to the respective risk owners.

This charter also helps build a culture of shared responsibility. By establishing risk ownership across different units, organizations can avoid the common pitfall of overloading the CISO with expectations they cannot fulfill. The CISO’s advisory role remains focused on assessing risks, aligning security measures with business goals, and ensuring that risk owners take action based on informed guidance.

Building Trust with the Board and CXOs

For a CISO to successfully operate as an advisor, they must build trust with the board, CXOs, and business unit leaders. This can be achieved through transparent communication, frequent updates on emerging threats, and ensuring that cybersecurity strategies are aligned with business priorities. When the leadership recognizes the value the CISO brings in guiding risk decisions, they are more likely to embrace the advisor model and promote risk ownership across the organization.

As the advisor, the CISO can foster informed decision-making by offering a strategic view of cybersecurity risks. This ensures that the organization is prepared to respond to threats while each business unit retains ownership of risks specific to their domain.

As a CISO, how do you ensure that your advisory role is respected and that business units are fully engaged in managing their own risks?

Join us on Discord or WhatsApp.