Chapter 15
Internal Organization Context
Domenic Antonucci, Editor and Chief Risk Officer, Australia Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia
Cyber risk is an enterprise-wide risk, not just an IT risk. The cyber risk management system comes under the umbrella enterprise risk management system,” declared Nathan, the chief risk officer. Tom the CEO looked at Nathan and Grace, his head of human resources, both sitting in his office, and replied, “OK, but what does that mean? Our techies aren’t famous for dealing with the rest of the business. In your roles, both of you engage in stewardship and coordination, so tell me how we internally organize. I want to know which functions are accountable and responsible for what, as well as how they are to internally support, consult, and inform each other.”
The Internal Organization Context for Cybersecurity
There are several international standards and voluntary guidance code approaches to understanding internal organization context. They are voluntary, as they are not mandated by laws.
Standards and Guidance Approaches
One set of standards that can be adapted to cybersecurity is from ISO/IEC 27001:2013 Information Technology–Security Techniques–Information Security Management Systems–Requirements. It covers the essential components for the cybersecurity internal organization context from the perspective of its parent, the information security function. These cover management commitment, information security coordination, allocation of information security roles and responsibilities, authorization process for information processing facilities, confidentiality agreements, contact with authorities, contact with special interest groups, independent review of information security, information security in project management, and segregation of duties.
Another voluntary guidance code approach is ISACA’s COBIT 5: Enabling Processes. Its Appendix G is a useful reference and has partly informed the RASCI charts below.
Yet another guidance approach is to adapt the ISO 31000:2009, Risk management—Principles and guidelines standard descriptions of internal context for the purposes of cybersecurity and other risks. (For more detail on ISO 31000, see our Chapter 6, Principles Behind Cyber Risk Management). This serves to aid better understanding between the information security, information technology (IT), and other enterprise functions. ISO 31000 brings internal factors for cybersecurity to the fore, such as objectives-led consideration of the organization’s internal stakeholders, governance and organization structures, standards, contracts, roles and capabilities, culture, information systems, information flows and decision-making processes. (These other factors are also covered in our other chapters.)
Cybersecurity within the Enterprise
To align the cybersecurity function to other enterprise functions is the clarion call required of modern organizations and their leadership. There is no other way an organization can build the speedy, adaptive, resilient, and responsive capabilities required to face the fast-paced evolving universe of cyber threats (and opportunities).
Effective cybersecurity within the modern organization requires a cyber risk management system. This involves the ongoing, effective and fast deployment of organization capabilities to mitigate cyber risk. Waiting to react is game over. The system is not only a framework or set of processes, but the ongoing interplay of many capability elements such as people, technology, policies, procedures, practices, third-party relationships, and culture—that is, all those elements or components that make cybersecurity repeatable, consistent, measureable, demonstrable, and responsive, rather than being overly dependent on the ad-hoc vagaries of individuals, silos, and committees.
The cyber risk management system is a subset and child of the parent enterprise-wide risk management (ERM) system and its governance architecture. It is as simple and complicated as that. There is no need to reinvent the wheel in this regard.
The cyber risk management system has a sibling link to the physical security function and to the business continuity management system (BCMS), which also falls under the same parent enterprise risk management system. Leaving aside for the moment where a cybersecurity function may report to, from a risk governance perspective, it is a part of the normal governance and reporting of the ERM system. If not, serious internal gaps may occur at all levels but especially at the strategic, operational, and interdependency levels. A cyber risk advisory committee (or steering committee or equivalents) may form a working party or task force and will naturally report the outputs from the cyber risk management system in the same way the BCM, security, or ERM systems would to, say, a risk and audit committee up to the board.
Tailoring Cybersecurity to Enterprise Exposures
One of the most important roles for the CEO (with board oversight) is to tailor the capabilities of the cybersecurity function to enterprise-wide threats (and opportunities). This means aligning the design of the cybersecurity operating model to the enterprise (and vice versa). It also means making each enterprise function clear on and, accountable for, the set of capabilities the board and CEO expect them to bring to bear to prevent and respond to cyber threat (and opportunity).
Designing Your Own Cyber Risk Function Operating Model
The design of the cybersecurity operating model should be aligned with the ERM function operating model adopted by the enterprise that is already tailored to the organization’s objectives, context, and risk profile. As a guide, the template in Table 15.1 is one way to design and assure that these two operating models could achieve the desired levels of alignment. Its content is illustrative, not prescriptive. Until an ERM function is in place, organizations may make alternative arrangements with other heads of functions, typically security or operations/supply chain.
Table 15.1 Template for Designing a Cyber Risk Function Operating Model
| Information Security Model | Hybrid Model | Centralized RM Model | |
| Governance and oversight | Always insourced | Cyber and BU risk committees report separately to board/CEO. | Cyber and business unit risk committees report together under ERM/CRO structure to board/CEO. |
| Reporting lines | CISO to head of IT | CISO to head of IT and dotted line to CRO or head of security but conflict of interest minimized with by reporting to centralized committees. | CISO reports directly to CRO or head of security and reports to central/board committees. |
| RM plans and policies | Developed mainly by the CISO, with/without external expert advice, approved by CEO. | Corporate cyber and risk policy set by the central unit with supporting policies and procedures set by BUs. | Set at corporate level in consultation with CISO and cascaded down. Includes RM plan and tracked capability maturity improvements. |
| RM language and methodology | Risk language, processes, and methods left to CISO/BU. | CISO/BU adopts risk language, processes and methods in accordance with central risk policy and risk management plan. | Central function sets risk language, processes, and methods. Mandates across BUs. Monitors compliance. |
| Accountabilities | Set by CISO/BU | Shared with agreed control ranges and demarcation. | Primarily rests with a centralized risk function headed by a CRO. |
| Responsibilities | Set by CISO/BU | Shared. Defined control parameters. | Primarily with CRO or centralized risk function. |
| Risk limits and compliance | CISO/IT managers set risk limits and monitor compliance independently. | Group-level committee sets risk limits, which the business units operate. BUs may define tolerances, etc., but within group limits. | Central function sets risk policy, appetite, tolerances. Monitors compliance. |
| RM info systems | No portfolio reporting capability. Systems differ between InfoSec and across BUs. | Centralized risk-reporting system in place but CISO/IT manage and own their systems at the specialist technical level. | Centralized RM information system centralized and deployed across all BUs including InfoSec. |
Examples only appear above. Tailor to your organization. Italics represent typical large organization. RM, risk management; BU, business unit; CISO, chief information security officer; CRO, chief risk officer; ERM, enterprise risk management.
The modern at-risk organization demands that the CEO (with board oversight) directs the alignment of the key functional roles. This means aligning the cybersecurity function and joint activities across the enterprise with other enterprise functions (and vice versa). Not all functions are equally important to cybersecurity and some may have a critical function at certain times (e.g., corporate communications dealing with external media and social media during a cyber crisis). This involves an understanding of the interfaces between the cybersecurity function and the other functions that need to work together and at times team up, before, during, and after a cyber breach or crisis.
Typical Enterprise Functional Roles Most Involved in Cybersecurity across the Enterprise
Typical enterprise functional roles most involved in the building and measuring of cybersecurity capability across the enterprise are tabled in Table 15.2. The table depicts the broad relationship and hierarchy of the typical cyber-to-enterprise functional roles. These are the key players who need to work together in building and measuring cyber risk management system maturity.
Table 15.2 Typical Enterprise Functional Roles Most Involved in Cybersecurity
| Governance | Audit Committee | Internal Audit | Board | ||||
| Management | |||||||
| Risk committee | CEO | ||||||
| CISO | CRO | CIO | CFO | Legal | CSO | COO | HR |
| InfoSec risk champ | Digital risk officer | Supply chain manager | Corporate comms manager | ||||
| Insurance manager | |||||||
| Security manager | |||||||
| Business continuity manager | |||||||
| Risk management systems for . . . | |||||||
| Enterprise | |||||||
| Cyber | Business continuity | ||||||
| Security | |||||||
The governance roles are taken up by boards, risk committee(s), and internal audit, and shared by the CEO. The CEO executes strategy and directs executive managers from the CISO across to human resources (HR) with advice from risk committee(s) and/or risk/audit committee who also report to the board and other governance functions.
Aligning these key functions across the enterprise
A proven method to analyze, implement, and ensure alignment across functions as charted in Table 15.2 is to use a RASCI matrix. The RASCI matrix is a guidance tool to assist in the identification of roles and assigning of cross-functional responsibilities to a project deliverable or activity. RASCI represents: responsibility, accountable, support, consulted, and informed. RASCI definitions follow:
- Responsibility: person or role responsible for carrying out or doing the task.
- Accountable: person or role responsible for ensuring that the whole task is completed, approved, and/or successful.
- Support: person or role providing support to the task during the implementing of the task/activity/process or service. Typically, a peer or less senior function or advisor.
- Consulted: person or role whose advice or subject matter expertise is required before and/or during the task in order to complete it.
- Informed: person or role that needs to be kept informed during and/or after the task, including who should be informed about the task or the decisions to complete task.
Table 15.3 uses the RASCI approach and may be used as a template for tailoring alignment to the needs of any organization. It focuses on the high-level interface between each of the key enterprise functions and their most senior accountable heads, including cybersecurity under the CISO, or the emerging digital risk officer (DRO). It provides a summarized guidance as to how all functions should work together to optimize cyber risk management system maturity. Its content is illustrative, not prescriptive (except that the CISO/DRO should not report to the CIO). This template will require some tailoring to fit the specific structure and needs of each organization.
Table 15.3 Aligning Cybersecurity Across the Enterprise by RASCI Matrix
| Most Senior Functional Heads For … | Board* | Risk Committee* | Internal Audit* | CEO | CIO | CISO | IS Risk Champ | CRO | DRO (emerging) | Insurance | Physical Security | Business Continuity | CFO | Legal/Compliance | CSO–Strategy | COO | Supply Chain | HR | Corp Comms |
| Governance, oversight, mandate, tone | A | S | S | R | I | I | I | C | I | I | I | I | I | C | I | I | I | I | I |
| Principles behind cyber RM system | C | C | S | A | C | R | I | C | R | I | C | C | C | C | C | C | I | I | C |
| Cybersecurity policies and procedures | I | I | I | A | C | R | I | C | R | C | I | I | I | C | I | I | C | I | |
| Cyber strategy and strategic performance management | I | I | I | A | C | R | I | C | R | I | I | R | I | ||||||
| Cyber standards and frameworks | I | I | I | I | C | R | I | A | R | C | C | I | I | ||||||
| Digital risk management enterprise-wide | I | C | C | C | A | R | C | C | C | ||||||||||
| Identifying, analyzing, and evaluating cyber risks | I | I | C | R | C | A | R | C | C | C | C | C | C | C | C | C | C | ||
| Treating cyber risks | I | I | I | C | R | C | A | R | C | R | C | C | C | C | C | C | C | C | |
| Treating cyber risks using process capabilities | I | I | I | C | R | C | A | R | C | R | R | C | C | C | C | C | C | C | |
| Treating cyber risks using insurance and finance | I | I | I | S | A | S | R | R | |||||||||||
| Monitoring and review: Key risk indicators | I | I | I | R | C | A | R | I | |||||||||||
| Cybersecurity incident and crisis management | I | I | I | C | I | R | A | R | I | R | C | C | C | C | |||||
| Business continuity management | I | I | I | C | C | R | A | R | I | R | C | I | R | C | C | C | |||
| External context and supply chain | I | R | C | R | R | A | |||||||||||||
| Internal organization context | I | A | C | R | R | R | I | I | |||||||||||
| Culture and human factors | I | A | C | R | C | C | R | C | R | S | |||||||||
| Legal and compliance | I | I | A | S | S | S | C | C | R | I | I | S | S | ||||||
| Assurance of cyber RM by all managers | I | I | I | A | R | R | R | R | R | R | R | R | R | R | R | R | R | R | R |
| Independent assurance of effectiveness of cyber RM, governance, and compliance | A | R | I | I | I | I | I | I | I | I | I | I | I | I | I | I | I | I | |
| Information asset management | A | R | C | I | C | I | C | ||||||||||||
| Physical security aligned to cybersecurity | A | R | A | R | R | C | |||||||||||||
| Communications and operations management | A | R | I | R | I | C | I | ||||||||||||
| Access controls | A | R | I | R | I | C | |||||||||||||
| Cybersecurity systems acquisition, development, and maintenance | A | R | I | R | I | C | |||||||||||||
| People RM | A | C | R | I | R | R | I | I | I | I | I | I | I | I | R | I | |||
| Cyber competencies/CISO | A | C | R | C | R | R | |||||||||||||
| Human resources security | I | A | S | C | A | R | R | C | |||||||||||
| Cyber RM system maturity effectiveness | I | A | C | R | R | R | R | R | C | I | C | ||||||||
| Corporate communications re cybersecurity | I | A | C | C | C | C | R |
*Asteriks indicates governance function rather than executive management function. RM, risk management. Italics indicate an emerging role.
Aligning Cybersecurity within Enterprise Functions
The CEO (with board oversight) should also direct the alignment of cybersecurity within each key enterprise function. These functions need to interrelate and team up with the cybersecurity function in order to deliver effective cyber risk management.
Tables 15.4 through 15.21 represent each of the above players. They may be used as guideline templates for any organization to tailor per their needs and objectives. They focus on what each of the key enterprise functions and their heads need to do, including cybersecurity under the CISO. As cybersecurity is such a dynamic space, the tables are not meant to be prescriptive and will need revision and tailoring over time. They serve as a useful starting point for debate and framing within any organization as well as a starting point for position description and reward program updates. The only prescription on good governance grounds is that the CISO/DRO should not report to the CIO.
Table 15.4 RASCI Matrix Cyber Role for Board Members (and Their Delegatory Bodies)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Oversees all organization capabilities to align cyber risks to key organization objectives * Board level advisory cyber committee, chaired by a board member (not IT) * Recordation of all C-suite and boardroom planning, discussion and actions * Culture & reward systems support cybersecurity * Effectiveness of cyber-to-enterprise risk management and internal control systems |
*Governance, risk oversight and mandate for the enterprise * Independent assurance by internal audit of cyber risk management * Annual combined cyber risk and assurance report and board-level audit process of regular reviews * Tone at the top * Strategic direction, magnitude of risk it is prepared to take (risk appetite) to achieve objectives (risks of the cyber strategy) * Oversight that risks to delivery of the strategic objectives are managed effectively (Risks to the cyber strategy) |
* CEO * Internal Audit independent assurance * Risk committee * Combined assurance by all enterprise units |
* CEO * Cyber and risk committees (e.g., tone, strategy, appetite, culture, significance of risks, maturity) * For principles of timeliness, reasonableness, and preparedness |
* Cybersecurity policies and procedures * Cyber strategy and strategic performance management * Cyber standards and frameworks * Cybersecurity incident, crisis and business continuity management * Legal and compliance * Significant risks and level of cybersecurity capability maturity |
| During/after cyber crisis (post-“boom”) | * Decision making from crisis response team and business continuity reports sent to C-suite | * Oversight for prosecuting or defending cyber lawsuits * Disclosure of breach to partners, public, and owners of contractually transferred data |
* As above * BCM system |
* CEO * Cyber and risk committees (e.g., tone, strategy, appetite, culture, significance of risks, maturity) |
* Of ITC/InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to legal and other action |
Table 15.5 RASCI Matrix Cyber Role for Risk Committee (RC)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Reports to board on monitoring and review of cyber risks, including KRI’s input to strategic performance management system * Encouraging a culture that is risk aware and control-minded where risk management is a core competence, entrepreneurial, informed, responsive to constant changes in the risk landscape and is transparent * Steering the alignment between cyber- and enterprise-wide risk management systems * Settles issues aligning management and risk specialty functions to avoid unnecessary escalations to CEO or board |
* To the full board * Maturity effectiveness of cyber-to-enterprise risk management system |
* Member group of executives by CEO * CISO, CRO, and all enterprise executives * Governance, oversight, mandate, tone |
* C-suite boardroom planning, discussion, and actions * All cyber stakeholders for steering * Internal audit * Management and risk functions re: breaches of principles behind cyber risk management system |
* Cybersecurity policies and procedures * Cyber strategy and strategic performance management * Cyber standards and frameworks * Risk treatments * Cybersecurity incident and crisis management * Business continuity management * Legal and compliance |
| During/after cyber crisis (post-“boom”) | * Considers crisis response reports and business continuity decision making from top management | * Optimizing risk-informed crisis management decision making | * Board, CEO, CISO, CRO * All enterprise executives |
* Risk implications for prosecuting or defending cyber lawsuits (especially for reputation) | * Impending key decision making (e.g., business continuity, insurance, physical security, external notifications, lawsuits) |
Table 15.6 RASCI Matrix Cyber Role for Internal Audit Function (IA)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Independent assurance to board and management on effectiveness of the cyber risk management system * Evaluate cyber controls and treatment plans for significant risks * Audits and/or reviews of the board-level advisory cyber committee |
* High levels of independent and objective assurance via recommendations | * Board and Audit committee governance, oversight, mandate, tone * CEO and executives * Principles behind cyber risk management system |
* Board and CEO * Cyber RM system maturity effectiveness |
* Combined assurance from other units * Recordation of all C-suite and boardroom planning, discussion, and actions * Board-level audit process of regular reviews * By cyber risk management treatment plans and activities * Cybersecurity policies & procedures * Cyber strategy & strategic performance management * Cyber standards and frameworks * Cybersecurity incident and crisis management * Business continuity management |
| During/after cyber crisis (post-“boom”) | * Fresh postcrisis assurance on changes to the cyber risk management system and board-level advisory cyber committee process | * Revised assurance | * Board and Audit committee * CEO and executives |
* Board and CEO |
Table 15.7 RASCI Matrix Cyber Role for Chief Executive Officer (CEO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Manages all executives and holds them accountable to integrate enterprise-wide cybersecurity * Governance, oversight, mandate, tone * Defines cyber risk appetite aligned with enterprise risk and ensures strategies fall within it * Manages cyber issues by principles of currency, reasonableness, and preparedness * Effectiveness of cyber-to-enterprise risk management and internal control systems * On board-level advisory cyber committee |
* CISO/DRO and “connecting the board room with the server room” * Cyber RM system maturity effectiveness * Principles behind cyber risk management system * Cybersecurity policies and procedures * Strategy and strategic performance management * Internal organization context * Culture and human factors * Legal and compliance (e.g., fiduciary duties) * Assurance by all enterprise functions * Information asset management * People risk management * Cyber competencies/CISO hire * Corporate communications |
* Board, IA, and Audit committee * CISO/DRO, CRO primarily * Other enterprise executives secondarily |
* Board, IA and Audit committee * Cybersecurity incident and crisis management * Business continuity management |
* By combined assurance, IA and Board-level audit process of regular reviews * Recordation of all C-suite and boardroom planning, discussion and actions * By ITC/info sec, risk manager * Assessing and treating of cyber risks * Monitoring and review: KRIs Key Risk Indicators * External context and supply chain * HR security |
| During/after cyber crisis (post-“boom”) | * Leading the crisis response team and decision making from crisis response team reports | * Recommendations to Board to prosecute or defend cyber lawsuits * Disclosure of breach to partners, public, and owners of contractually transferred data |
* CISO/DRO, CRO, Legal, CorpComms * Crisis response team |
* CISO/DRO, CRO * Crisis response team |
* Of ITC/ InfoSec escalation from incident to crisis management and recovery * By the internal ITC Crisis Investigation team report as an input to legal and other action |
Table 15.8 RASCI Matrix Cyber Role for Chief Information Officer (CIO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Aligning IT and organization strategies * Planning, managing, and resourcing delivery of IT services to support organization objectives * Avoids line management of CISO/DRO to avoid conflict of interest (e.g., resourcing, strategy) * Combined assurance |
* Physical security aligned to cybersecurity and IT systems * Communications and operations management * Access controls * Cybersecurity systems acquisition, development, and maintenance |
* Supports CISO/DRO and vice versa * CRO |
* CISO/DRO, CRO, head of BCM * Principles behind cyber risk management system * Cybersecurity policies and procedures * Cyber standards and frameworks * Digital risk management enterprise-wide * Treating cyber risks * Internal organization context * Culture and human factors * People risk management * Cyber competencies/CISO/DRO |
* CISO/DRO and cybersecurity function * Cybersecurity incident and crisis management plans * By board-level audit process of regular reviews * By enterprise managers of alignment requirements (e.g., for business continuity plans, insurance, strategic performance management, legal, HR) * Governance, oversight, mandate, tone * Independent assurance |
| During/after cyber crisis (post-“boom”) | * Support to CISO/DRO and CRO for enterprise-wide management reporting, decision-making and actions (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) | * CISO/DRO, CRO | * Cybersecurity incident and crisis management |
Table 15.9 RASCI Matrix Cyber Role for Chief Information Security Officer (CISO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Cybersecurity standards/frameworks, policies, and procedures * Cyber strategy, principles, capability maturity and strategic performance management * Assess, treat, monitor, and report cyber risk and KRIs * Cybersecurity incident and crisis management * Business continuity management alignment * Sharing risk re: external context/supply chain * Internal context for culture, human factors, manages an effective intelligence-based cyber team with specialist competencies (e.g., data scientists, linguists, engineers, analysts, planners, strategists) * Combined assurance * Management of information assets; communications and operations; access control; and systems acquisition, development, and maintenance * Cyber RM system maturity effectiveness * Information security governance (e.g., cyber committee) * Information risk management and compliance * Information security program development and management * Annual combined cyber risk and assurance report and board-level audit process of regular reviews |
* To CEO/CRO for security of enterprise information in all of its forms, inclusive of digital assets * People risk management |
* Cyber and risk committee and CRO * Legal and compliance * Other enterprise managers * External service providers * Insurance and finance managers |
* CEO, CRO re digital risk management enterprise-wide * Manages cyber strategy in co-coalition with CRO and CSO * Inputs for recordation of all C-suite and boardroom planning, discussion, and actions * Contact with authorities and special interest groups |
* By external expert providers * By board-level audit process of regular reviews, governance, oversight, mandate, tone * By CEO, CRO, and enterprise managers of alignment requirements * Contact with authorities and special interest groups * Independent assurance |
| During/after cyber crisis (post-“boom”) | * Information security incident management and escalation to crisis management * Inputs via CRO for enterprise-wide management reporting, decision making, and actions (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) |
* As above * Corp Comms |
* Prosecuting or defending cyber lawsuits * CRO, Legal, Corp Comms * External service providers * Authorities and special interest groups |
* Of ITC/InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to legal and other action |
Table 15.10 RASCI Matrix Cyber Role for Information Security Risk Champion (ISRC)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Assure/report progress to CISO/DRO, CRO, and Risk committee(s) as required * Risk liaison within and without the InfoSec function for CRO * Coordinates and supports risk owners within function to assess, treat, monitor, and report cyber risks * Enhances risk awareness within function * Update the risk responses on RM information system in a timely manner in coordination with the risk owner(s) * Input to CRO’s annual risk management report |
* CISO/DRO, CRO * InfoSec team and risk owners * Human resources security |
CRO and risk owners to … * Manage the risks assigned to an acceptable level * Articulate and manage the controls on which reliance can be placed * Articulate and manage the action required (with related stakeholders) to achieve target level of risk * Develop and report on Key risk indicators (KRI) * Provide appropriate feedback to the CISO/DRO and CRO on a regular basis regarding progress |
* CISO/DRO and cybersecurity functionaries * Governance, oversight, mandate, tone |
|
| During/after cyber crisis (post-“boom”) | * Inputs via CRO for enterprise-wide management reporting, decision making, and actions (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) | * Risk liaison within and without the InfoSec function | * CISO/DRO, CRO * InfoSec team and risk owners |
* CISO/DRO and risk owners to manage the escalated risks | * Of ITC/ InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to legal and other action |
Table 15.11 RASCI Matrix Cyber Role for Chief Risk Officer (CRO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Combined assurance and effectiveness of cyber risk management and maturity improvement * Internal organization context for cyber risk * Annual risk management report, including cyber risk * Member of board-level advisory cyber committee * Intermediary improving communication between C-suite and IT; reconciling opposing drivers (C-suite focus on costs and the bottom line vs. IT focus on the systems and prevention of a cyber event) |
* For DRO * For CISO (if delegated by CEO) or dotted line if not * Digital risk management enterprise-wide * Physical security aligned to cybersecurity * Treating cyber risks using insurance and finance * Cyber standards and frameworks * Assess, treat, monitor, assure and report cyber risks * Monitoring and review cyber KRIs * Cybersecurity incident and crisis management * Business continuity management |
* Risk and cyber committees * CISO/DRO, IS Risk Champ and competencies * Other risk specialists for BCM, security, insurance, finance, legal/compliance * HR security * Risk support, tools, techniques, and training across functions |
* Governance, oversight, mandate, tone * Cyber strategy, principles and strategic performance management * Cybersecurity policies and procedures * External context and supply chain * Culture and human factors * Cyber competencies CISO/DRO * Corporate communications * Appropriate internal control structures with adequate allocation of duties |
* Board and CEO mandate, commitment and tone at top * Independent assurance by Internal Audit * By irregularities, gaps or concerns (and bring to attention of the Board or its committees) * IT Information asset management, asset controls, systems acquisition, etc, * Adequacy and effectiveness of internal control, accuracy and completeness of reporting, compliance with laws and regulations |
| During/after cyber crisis (post-“boom”) | * Lead coordinator of crisis response reports to top management * “Knock-on” risk management (e.g., disclosure of breach to partners, public and owners of contractually transferred data) |
* Optimizing risk-informed escalation and crisis management decision making | * As above * Other specialists for Corp Comms, HR, Ops, Supply Chain |
* Risk implications for prosecuting or defending cyber lawsuits (especially for reputation) | * Impending key decision making (e.g., business continuity, insurance, physical security, external notifications, lawsuits) |
Table 15.12 RASCI Matrix Cyber Role for the Digital Risk Officer (DRO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Digital risk management enterprise-wide * Cybersecurity standards/frameworks, policies, and procedures * Cyber strategy, principles, capability maturity and strategic performance management * Assess, treat, monitor, and report cyber risk and KRIs * Cybersecurity incident and crisis management * Business continuity management alignment * Sharing risk re: external context/supply chain * Internal context for culture, human factors, manages an effective intelligence-based cyber team with specialist competencies (e.g., data scientists, linguists, engineers, analysts, planners, strategists) * Combined assurance * Management of information assets; communications and operations; access control; and systems acquisition, development and maintenance * Cyber RM system maturity effectiveness * Information security governance (e.g., cyber committee) * Information risk management and compliance * Information security program development and management * Annual combined cyber risk and assurance report and board-level audit process of regular reviews |
* To CRO for security of enterprise digital-based information and assets * People risk management |
* Cyber and risk committee and CRO * Legal and compliance * Other enterprise managers * External service providers * Insurance and finance managers |
* Manages cyber strategy in co-coalition with CRO and CSO * Inputs for recordation of all C-suite and boardroom planning, discussion, and actions * Contact with authorities and special interest groups |
* By external expert providers * By board-level audit process of regular reviews, governance, oversight, mandate, tone * By CEO, CRO, and enterprise managers of alignment requirements * Contact with authorities and special interest groups * Independent assurance |
| During/after cyber crisis (post-“boom”) | * Information security incident management and escalation to crisis management * Inputs via CRO for enterprise-wide management reporting, decision making, and actions (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) |
* As above * Corp Comms |
* Prosecuting or defending cyber lawsuits * CRO, Legal, Corp Comms * External service providers * Authorities and special interest groups |
* Of ITC/InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to legal and other action |
Table 15.13 RASCI Matrix Cyber Role for Head of Insurance (HI)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Treating cyber risks using insurance and finance transfer solutions * Tracking the evolving cyber insurance market and overall risk finance options * Insurance implications from fiduciary duties and “reasonable” action for the “processes” to assess and manage cyber risk * Implications for noncyber and related insurances (e.g., business interruption, directors and officers, public liability insurance, property insurance) |
* To CEO for optimizing risk-informed escalation and crisis management decision-making related to insurance and risk transfer | * CISO team, CRO * Security and business continuity managers |
* Legal, regulatory and compliance * Cybersecurity policies and procedures * Identifying, analyzing, evaluating, and treating cyber risks |
* Governance, oversight, mandate, tone * Cybersecurity policies and procedures * Legal, regulatory, and compliance * Changes to risk management system via CRO |
| During/after cyber crisis (post-“boom”) | * Lead coordinator of information required for cyber insurance claims * “Knock-on” effects for insurance purposes (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) |
* As above | * Cybersecurity incident, crisis and business continuity management * Risk implications for insurance and what is noninsurable (e.g., reputation) |
* Future insurance ramifications via CRO and reinsurers (e.g., increased premiums) |
Table 15.14 RASCI Matrix Cyber Role for Head of Physical Security (HPS)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Physical security aligned to cybersecurity * Support HR and CISO for human resources security * Inputs to cybersecurity and business continuity plans, insurance placements |
* Physical-to-cyber treatment as enterprise risk, not just IT/InfoSec risk * Physical security-to-cyber strategy risk implications |
* CRO, CISO, IS risk champ, BCM and HR manager | * CRO for physical-to-cyber aspects of all C-suite and boardroom planning, discussion and actions * Physical-to-cyber risk management system as subset of ERM system and aligned to business continuity management system (BCMS) * Principles behind cyber risk management system * Cyber standards and frameworks * Identifying, analyzing, evaluating and treating cyber risks |
* CRO/CISO requirements for physical-to-cyber risk management system related to physical security of locations, servers, etc. |
| During/after cyber crisis (post-“boom”) | * Physical-to-cyber inputs via CRO as lead coordinator of crisis response reports to top management * “Knock-on” effects for physical-to-cyber management (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) |
* Optimizing physical-to-cyber-informed escalation and crisis management decision making | * As above | * CCTV/other evidence and information for physical-to-cyber implications for prosecuting or defending cyber lawsuits (especially for reputation) | * CRO/CISO change requirements to physical-to-cyber risk management system related to physical security of locations, servers, etc. * Relocation to other premises and locations requiring security |
Table 15.15 RASCI Matrix Cyber Role for Head of Business Continuity (HBC)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Business continuity management aligned to cyber risk management * Coordinates and integrates business continuity and cyber risk escalation management for cyber threats * Aligns cybersecurity to enterprise business continuity plans and considers insurance placements |
* To CRO for business continuity of operations, ensuring organization critical functions recover from disruptive events such as a cyber breach or crisis | * CISO, COO, Supply Chain, HC, HSC | * CRO for BCM-to-cyber aspects of all C-suite and boardroom planning, discussion, actions, principles, standards, and frameworks * Cyber incident and crisis management system aligned to business continuity management plan and system (BCMS) * “Points of failure” for cyber information asset management, physical security aligned to cybersecurity, communications and operations management, access control, and cybersecurity systems acquisition, development and maintenance * Identifying, analyzing, evaluating and treating cyber risks |
* CRO / CISO requirements of changes to BCM-to-cyber risk management system related to single points of failure to data assets such as servers * Governance, oversight, mandate, tone * Cybersecurity policies and procedures |
| During/after cyber crisis (post-“boom”) | * BCM-to-cyber inputs via CRO as lead coordinator of crisis response reports to top management * “Knock-on” effects for BCM-to-cyber management (e.g., disclosure of breach to partners, public, and owners of contractually transferred data) |
* Optimizing BCM-to-cyber-informed escalation and crisis management decision making | * As above | * CISO in order to activate the BC plan | * Changes to risk management system related to physical security of locations, servers, etc. * Possible relocation to other premises and locations * Possible emergency shutdown of systems by CISO |
Table 15.16 RASCI Matrix Cyber Role for CFO
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Treating cyber risks using insurance and finance * Takes cyber risk ownership within their enterprise function to assess, treat, monitor, and report * On board-level advisory cyber committee * Manages financial issues by cyber principles of currency, reasonableness, and preparedness |
* All aspects of financial management, inclusive of financial risk and resources needed for cybersecurity * Financial aspects for fiduciary duties and “reasonable” action for the “processes” to assess and manage cyber risk * Financing of cyber strategy and resourcing |
* Board-level advisory cyber committee * CEO, CRO, insurance manager |
* Financial aspects of all C-suite and boardroom planning, discussion and actions * Identifying, analyzing, evaluating and treating cyber risks *Cyber insurance * Principles behind cyber risk management system * Cybersecurity incident, crisis and business continuity management * Culture and human factors * Legal and compliance * Cyber RM system maturity effectiveness |
* By IT/info sec, risk manager and business continuity plans for cybersecurity |
| During/after cyber crisis (post-“boom”) | * Management of a cyber breach costs and bottom-line impacts * Lead on financial decision making based on crisis response team reports * Financial aspects of any disclosure of breach to partners, public, and owners of contractually transferred data |
* Board-level advisory cyber committee * CEO, CRO, insurance manager |
* Financial aspects for prosecuting or defending cyber lawsuits | * Of IT/InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to financial decision making |
Table 15.17 Rasci Matrix Role for Legal Counsel and Compliance (LCC)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Takes ownership within their enterprise function to assess, treat, monitor, and report cyber legal risk and regulatory * Engages stakeholders as regulations change and plans to accommodate regulatory expansion towards widely accepted standards * Pre-defines issues by principles of currency, reasonableness, and preparedness (e.g., cross-border alternate IT processing arrangements during a crisis) * Directs documentation of the cyber risk management “process” * Reviews past contracts, manages future contracts and contractual compliance * Determines if information-sharing partnerships with government or other parties may benefit |
* Legal counsel member of board-level advisory cyber committee | * CRO, CISO * Privacy officer monitoring of risk and organization impacts from privacy laws and compliance, or data protection officer under 2018 EU regulations |
* Board and CEO governance, principles, and risk oversight for fiduciary duties and “reasonable” action for the “processes” to assess and manage cyber risk * Cyber strategy and implementation of entire “process-oriented” cycle of cyber defense planning, including committee creation, application, simulation, auditing, and recordation * Cybersecurity policies and procedures * Cyber standards and frameworks * Cybersecurity incident and crisis management * Recordation of all C-suite and boardroom planning, discussion, and actions * Insurance terms and conditions * Identifying, analyzing, evaluating, and treating cyber risks |
* By board-level audit process of regular reviews * Business continuity management * By ITC/InfoSec, risk manager, and business continuity plans for cybersecurity |
| During/after cyber crisis (post-“boom”) | * Member of crisis response teams set in action with constant documentation of steps taken and reports sent to C-suite * Internal investigation to record events and actions in preparation for legal action(s) for or against * Manages any bailiffs to assess collection of technical traces for future litigation * Manages any “active defense” and authorization from the foreign network owner before operations are commenced to help limit liability for actions taken * Prosecuting or defending cyber lawsuits * Disclosure of breach to partners in the private and public sector * Notifications to the public and owners of contractually transferred data |
* CRO, CISO, HR, CorpComms * Bailiffs |
* For advice—either as in-house or outside counsel depending on the potential need to preserve privilege—established immediately and sustained throughout the response | * Of ITC/InfoSec escalation from incident to crisis management and recovery * By digital forensic software managed by ITC/InfoSec * By the internal ITC crisis investigation team report as an input to legal action * By CFO on financial estimations of impacts and prosecution financial support |
Table 15.18 RASCI Matrix Cyber Role for Chief Strategy Officer (CSO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Aligns cyber strategy with strategic performance management system * Accepts capability targets as CISO’s KPIs and CRO’s KRIs input to strategic performance management system * Advisor to board-level advisory cyber committee |
* CISO, CRO | * Implementation of cyber strategy and principles * CISO’s cyber strategy aligned to organization strategy and objectives * CISO’s cyber strategy covers key components that keep up with fast pace of evolving cyber threat universe * Identifying, analyzing, evaluating, and treating cyber risks |
* Monitor and review cyber strategy * Cyber KPIs (from CISO) * Cyber KRIs (from CRO) * Cyber RM system maturity effectiveness |
|
| During/after cyber crisis (post-“boom”) | * Strategic advice to C-suite (e.g., implications for external context, stakeholders, organization objectives) | * Review of cyber strategy | * CISO, CRO | * Disclosure of breach to partners, public, and owners of contractually transferred data if change to external strategic context for organization | * Crisis management and recovery reports |
Table 15.19 RASCI Matrix Cyber Role for Chief Operations Officer (COO)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Takes cyber risk ownership within their enterprise function to assess, treat, monitor, and report * Sustaining daily operations and business processes * Supply Chain management function and overseeing protections that customers and vendors maintain to guard against attack |
* Operation of the enterprise, inclusive of cybersecurity * Overseeing reduction in supply chain and operational vulnerabilities to cyber attack |
* CRO, BCM Manager | * Head of supply chain, business continuity plan, and testing execution * Identifying, analyzing, evaluating, and treating cyber risks |
* Legal and compliance * By head of supply chain (e.g., of ITC/InfoSec, risk manager, and business continuity plans for cybersecurity) |
| During/after cyber crisis (post-“boom”) | * Lead on coordinating of operational business continuity during crisis | * Managing operations, including customers and vendors | * CRO, BCM Manager * Head of Supply Chain |
* By head of supply chain re: executed business continuity plan * Disclosure to customers and vendors |
* By head of supply chain (e.g., of ITC/InfoSec escalations, ITC crisis investigation team report, and any customer and vendor intelligence) |
Table 15.20 RASCI Matrix Cyber Role for Head of Supply Chain (HSC)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Takes ownership within their enterprise function to assess, treat, monitor, and report cyber risk * Sustaining supply chain daily operations and business processes * Managing external dependency risks, especially relationships involving information and communications technology (ICT) with supply chain or third-party risks |
* Reducing supply chain and external context vulnerabilities to cyber attack | * COO, CRO, BCM manager | * By COO, business continuity plan and testing execution * Identifying, analyzing, evaluating, and treating cyber risks |
* Cybersecurity governance, cyber risk management system, cyber policies and procedures * By ITC/InfoSec, risk manager, and business continuity plans for cybersecurity * Legal and compliance |
| During/after cyber crisis (post-“boom”) | * Lead coordinator business continuity with the supply chain during crisis | * Managing customers, vendors, and other supply chain or third parties | * COO, CRO, BCM manager | * By business continuity plan execution * By any disclosure to customers, vendors, and supply chain |
* Of ITC/InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to risk-informed decision making * By any customer, vendor, and supply chain intelligence |
Table 15.21 RASCI Matrix Cyber Role for Head of Human Resources (HR)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Cyber competencies/ CISO * Culture and human factors * Manages people issues by cyber principles of currency, reasonableness, and preparedness * On board-level advisory cyber committee * Training on best practices (e.g., countering “phishing” attacks targeting specific employees) |
* Cyber competencies/CISO * Human resources security * Planning and policies for enterprise human resources |
* CEO, CISO, CRO * Legal and compliance |
* Prioritizing cybersecurity practices and resourcing, including CISO recruitment and retention * Reducing errors or deliberate actions by employees that may lead to costly cyber incidents * People aspects for fiduciary duties and “reasonable” action for the “processes” to assess and manage cyber risk * Cybersecurity policies and procedures * Cyber RM system maturity effectiveness * Cybersecurity incident, crisis and business continuity management * Identifying, analyzing, evaluating, and treating cyber risks |
* Governance, oversight, mandate, tone * Principles behind cyber risk management systems *Cyber strategy and strategic performance management *Cyber standards and framework * Internal organization context * By ITC/InfoSec, risk manager, and business continuity plans for cybersecurity |
| During/after cyber crisis (post-“boom”) | * Management of a cyber breach people impacts * Lead on people decision making based on crisis response team reports * People and reputation aspects of any disclosure of breach to partners, public, and owners of contractually transferred data |
* Reducing negative cyber breach people impacts * Lead on people decision making based on crisis response team reports * People and reputation aspects of any disclosure of breach to partners, public, and owners of contractually transferred data |
* CEO, CISO, CRO, Corp Comms | * People aspects for prosecuting or defending cyber lawsuits | * Of ITC/InfoSec escalation from incident to crisis management and recovery * By the internal ITC crisis investigation team report as an input to people management |
Table 15.22 RASCI Matrix Cyber Role for Head of Corporate Communications (HCC)
| Is RESPONSIBLE For … | Is ACCOUNTABLE For … | Is SUPPORTED By … | Is CONSULTED By … | Is INFORMED Of/By … | |
| Before cyber crisis (pre-“boom”) | * Takes ownership within their enterprise function to assess, treat, monitor, and report cyber risk * Selects and prepares external public relations (PR) experts in case of crisis * At-call advisor to board-level advisory cyber committee * Supports HR training and awareness with broader internal communications on best practices (e.g., countering “phishing” attacks, awareness campaigns to broader employees) |
* HR * CRO, CISO |
* Alignment of cyber crisis corporate communications as a subset of corporate crisis management/business continuity plan * Proactive internal communications to reduce errors or deliberate actions by employees that may lead to costly cyber incidents * Timely remediation activity to negative social media (both internal or external) * Support HR for people aspects for fiduciary duties * Principles behind cyber risk management system * Identifying, analyzing, evaluating, and treating cyber risks |
* By ITC/InfoSec and enterprise manager plans for cybersecurity crisis response and events * Human resources security |
|
| During/after cyber crisis (post-“boom”) | * Management of internal corporate communication impacts with staff * Management of external public relations (PR) impacts * Outsourced specialist PR or insourced advice for management decision making and crisis team response * Advice on disclosure of breach to partners, public, and owners of contractually transferred data |
* Reducing negative cyber breach people impacts * Support to HR for people decision making based on crisis response team reports * Support to HR for people and reputation aspects of any disclosure of breach to partners, public, and owners of contractually transferred data |
* HR, legal, and compliance * CRO, CISO |
* Outsourced specialist PR * ITC/InfoSec and enterprise manager crisis planning and reactions requiring people communications |
* Outsourced specialist PR * By ITC/InfoSec and enterprise manager plans for cybersecurity crisis response and events |
Governance and Risk Oversight Functions for Cybersecurity
Corporate governance and risk oversight roles are taken up by board, risk committee(s), and internal audit reporting to them. The CEO directs management and executes the security strategy encompassing the cybersecurity strategy with advice from risk committee(s) who also report to board and other governance functions. The board of directors and CEO are accountable for overall business and organization performance and they have a fiduciary duty to assess and manage cyber risk. Regulators, including the Securities and Exchange Commission (SEC), have made clear they expect organization top leadership to be engaged on the issue. They can also play a key role in coordinating with critical third parties at an executive-to-executive level.
Leading international practice is to have a risk committee that reports to the full board and report up any cybersecurity matters. Suggested participants are the chairpersons for the board and its subcommittees (such as the audit and finance committee, the operations committee, and the HR committee) and from executive management, the: CEO, CISO/DRO, CIO, CRO, and CFO.
The independent assurance role for cybersecurity is uniquely played by internal audit.
The CEO integrates everything from the boardroom to the server room. The CEO role overlaps the areas of corporate governance and senior executive management. The CEO directs the executive management team from CISO and IT-related management functions right across to people-related functions such as human resources in Table 15.3.
Other key reporting lines to the CEO follow below under both IT-related and enterprise risk-related management functions dealing with cybersecurity.
Executive Management Functions for Cybersecurity
There are several executive management functions interrelated to IT that have a bearing on cybersecurity. But these functions do not all need to report to the CIO, particularly the CISO.
CISO Should Report to CEO
The CISO should typically report directly to the CEO in these modern times of high cyber threat with a dotted line to both the CRO and the CIO. A current Internet search shows a strong trend toward CISO reporting to the CEO and it is already legislated this way in certain countries (e.g., Israel).
Variations to Reporting and Titles/Roles
Debates over reporting lines are common in modern organizations. Does compliance report to general counsel or CEO? Does risk report to CEO or risk committee or finance or general counsel?
One thing that is clear, however, from a modern-day corporate governance perspective, is that the CISO should be independent of the CIO. Such a reporting line principle avoids potential conflict of interest over cybersecurity strategy execution, time-responsiveness during a crisis and resource allocation. While a CISO reporting to a CIO may have an option to escalate concerns this may not always work well in practice and the CIO may be driven by other imperatives other than those in the best interests of a cyber risk management system. Of course, a reporting line from CISO to CEO does not prevent that CISO from escalating matters over the CEO to the board in the name of good governance if that CEO is not responsive.
The challenge of course, is that modern CEOs are time pressured and some prefer to delegate certain areas to people who have a more detailed understanding for that area. If the CEO needs to delegate direct line reporting by the CISO for practical reasons (e.g., too many reports, low digitization risk exposure by the organization) and is legally free to do so, they can continue to avoid a conflict of interest (if the CISO reports to CIO) by delegating CISO reporting to the CRO. This will reinforce to all enterprise functions that the cyber risk management system is an integrated subset of the ERM system (which the CRO is accountable for).
Alternative options are for the CISO to report to the risk committee or audit and risk committee (but be administered by the CEO’s secretariat or the company secretariat). CEOs with immature ERM functions may alternatively look to have the CISO report to the heads of security (physical security) or operations or shared services (if appropriate).
The full-time CISO role is not identical to an on-call crisis executive or crisis action officer position. (See Chapter 19, “Information Asset Management for Cyber,” for a more information on this role.) A crisis action officer is on-call and triggered into action by a standard operating procedure (SOP) for any type of crisis including—but not exclusive to—a cyber attack. A crisis executive/action officer will not be a CISO who will organize his cybersecurity expert/team separately to deal with incidents leading to crisis situations and will integrate with the wider organization crisis team. (See Chapter 12, “Cybersecurity Incident and Crisis Management,” and Chapter 13, “Business Continuity Management and Cybersecurity.”) A crisis executive/action officer typically has the authority, SOP, and resources to do the backend work for the PR organization, enable business continuity plans, and so on. The plan for a crisis team will clarify who this officer reports to in a crisis, which may include a crisis executive or command center managers. While the crisis executive action officer does not create plans (normally done in quiet times) they are involved in the execution of the plan and will interface with the board and major stakeholders. Once a crisis hits, the plans are executed by the people who are on duty and/or brought in for the occasion.
Larger or more mature organizations have a dedicated security operations center (SOC), command center structure, or sometimes even a cybersecurity operations center. (For more on this, see Chapter 19, “Information Asset Management for Cyber,” and Chapter 22, “Cybersecurity for Operations and Communications,” which stresses the importance of an SOC). The SOC may or may not be part of the CISO’s remit, but if so, the CISO will have a dotted line to the CIO. There are managed security service providers (MSSPs) providing SOC as an outsourced service.
The SOC function should be completely integrated with the command center structure. The CISO is typically not part of this command center structure but is brought into the picture if an incident/crisis involves information security. In larger financial institutions, for example, the command center structure is in place but dormant until a need for activation indicated by all the alerts it regularly receives. The head of the command center is on duty (i.e., on duty and on call 24/7 on top of his day-to-day job). There may be a weekly rotation among three or four command center heads, which are senior people but not necessarily the most senior executive managers.
Ownership of information technology falls under chief information officer (CIO).
Ownership of information security falls under the CISO. Some CISOs are already moving toward, or have already transformed, their roles into a DRO role (see Table 15.9).
The CISO should dedicate one of his team members as a part-time risk champion or risk lead. They act as the ambassador to the CRO and other enterprise functions that the CISO’s team needs to partner with.
Enterprise Risk-Related Management Functions for Cybersecurity
The CRO is accountable to the CEO and risk/other governance committees for the enterprise risk management system and all its subsystems which include the cyber risk management system for cybersecurity and its sister systems such as the business continuity management (BCM), crisis management and physical security systems. Cybersecurity also involves cyber insurance (products to insure against cyber threat) and finance solutions, which fall under CRO accountability and represent a shared responsibility with the finance function. While in some organizations the insurance function may sit and report to the finance function, the enterprise accountability for the risk of a potential “insurance gap” risk falls to the CRO. Risk officers can ensure various stakeholders are connected in terms of assessing, managing, and responding to cyber risks. They can also provide access for key decision makers to leading practice methodologies, tools, and understanding.
Emergence of the Digital Risk Officer (DRO)
Gartner foresee the emergence of digital risk and the digital risk officer. Their research indicates that more than half of CEOs will have a senior “digital” leader role in their staff by the end of 2015 and by 2017, one-third of large enterprises engaging in digital business models and activities will also have a DRO role or equivalent.1 The DRO will report to a senior executive outside of IT such as the CRO, a chief digital officer (CDO) or the chief operating officer (COO). Some CISO’s are already moving towards, or have transformed, their roles into a DRO role (see below). (Editor note: this extract is taken from our Chapter 24 People risk management. At the time of publication, this is still an emerging area and the dividing lines are fuzzy and still not universally agreed or established). Ownership of specialization in enterprise-wide cyber risk management falls under the emerging role of the DRO.
Ownership of insurance and risk finance falls under the head of insurance.
Ownership of physical security, which is in itself increasingly becoming digitized, falls under the head of Physical Security.
Ownership of business continuity management (BCM) falls under the head of BCM. BCM may be agnostic about why assets were lost (i.e., which risk materialized) but their business-impact analysis focuses on “points of failure” including digital data assets.
Ownership of organizational financial matters falls under the CFO. A CFO’s concerns may range from the potential costs of a cyber event and what the impact could be on the bottom line as well as the insurance implications an event may have. CFO’s can play a key role in coordination, building the business case, and participating on a cyber task force or related committee.
Other Enterprise Management Functions Supporting Cybersecurity
While the above enterprise risk-related management functions are critical partners with the CISO’s function and critical to cybersecurity, other enterprise functions have a critical role to play at times such as a cyber crisis and can lend ongoing support to cybersecurity as well. Their contributions and cooperative interaction with the CISO and CRO functions are important. These extend from legal and compliance across to HR and corporate communications.
Ownership of legal matters fall under a legal counsel and compliance officer. Ownership of compliance matters falls under the head of compliance, who may (or may not) report to the legal counsel. As regulations around cyber develop, legal and compliance roles become increasingly important in keeping other stakeholders informed and engaged. Lawsuits often follow if a cyber incident occurs in certain jurisdictions.
Ownership of organizational strategic matters falls under the CSO.
It is critical that cybersecurity is considered within the overall organization context, including the role of procurement/supply chain and operations functions in performing supplier due diligence and management. Interactions with customers and suppliers can create cybersecurity vulnerabilities. The protections these functions have in place need to be understood if they pose a weak point in an organization’s cyber defenses. This is often reported as not adequately addressed, particularly where critical data is being exchanged. It is also important that these functions maintain daily operations and workplace stability during a cyber event.
Ownership of organizational operational matters falls under the COO.
Ownership of human resource matters falls under the head of Human Resources. Employees are often the weakest link in the cybersecurity chain. Simple errors and accidents—or deliberate actions—by employees can lead to costly cyber incidents. Training on best practices is critical, especially with the rise in sophisticated “spear-phishing” attacks targeting specific employees. Employees must be helped to understand the consequences of failure within the interconnected organizational context.
Ownership of corporate communications matters falls under the head of Corporate Communications.
Conclusion
The following cyber risk management statement represents those organization capabilities CEO and board should be looking to have their organization demonstrate in terms of cyber risk internal organization context.
Note
About Domenic Antonucci
Domenic is a practicing international chief risk officer overseeing cybersecurity and a former counterterrorist intelligence officer. An Australian expatriate based in Dubai UAE, Domenic specializes in bringing capabilities within organization risk management systems “up the maturity curve” for enterprise, program, and specialized risks such as cybersecurity. Formerly with Marsh, Shell and Red Cross, he enjoys over 35 years’ experience in risk, strategic planning, and business management consulting across many sectors in Europe, Africa, Middle East, Asia, and Australia-Pacific. A specialist with IRM (SIRM), he is a certified ISO 31000 ERM lead trainer and BCMS business continuity lead implementer as well as a former RMP-PMI risk management professional and PMP project management professional. A regular international conference presenter and author, he is the content author for risk maturity model software called Benchmarker™ and the author of the book Risk Maturity Models: Assessing Risk Management Effectiveness.
About Bassam Alwarith
Bassam is heading the National Digitization Acceleration Program in the Kingdom of Saudi Arabia. He reports to a Ministerial Council headed by the Minister of Economy and Planning. Bassam has led digitization transformation programs in the private and public sector. He is experienced in governance, business continuity, and organizational capability development. Bassam has held various executive positions including chief information officer, chief financial officer, chief operating officer, and chief investment officer. He has worked in the United States with technology companies such as Oracle, and in the Kingdom of Saudi Arabia, where he has held various technology leadership roles.