CISO and CRO Join Forces to Combat Cyber Threats

While cyber security is a global problem, in 2022 the Asia-Pacific region was the most attacked, accounting for 31% of all cybercrime remediated incidents worldwide, an unwanted title it also held in 2021.¹

Research released earlier this year by IBM², found the deployment of backdoors, which allow remote access to systems, was the most popular method (about one-third of cases) followed by ransomware. According to the report the majority of backdoor attempts failed, however the increasing value of data points to a substantial economy in personal information.

Cyber Security Hub spoke to cyber professionals across the Asia Pacific region in mid-2023 and found only 12 percent of respondents had not experienced a cyber attack in the past year.³

Cyber attack or data breach is also ranked as the number one risk facing organisations in the Asia Pacific region and is predicted to remain in this position by 2026, according to Aon’s 2023 Global Risk Management Survey.⁴

The increasing regularity and complexity of these attacks have prompted businesses to find new solutions for managing cyber risk. Organisations are learning that collaboration between the Chief Information Security Officer (CISO) and Chief Risk Officer (CRO) is increasingly necessary to coordinate cyber security efforts.

Cyber Lead for Aon Australia, Michael Parrant, says that while the CRO has always been recognised as a critical role, for a long time cyber security and IT were treated almost as support functions. However, in the last five years the CISO role has gained more importance. “And now the two roles are not equal necessarily, but certainly much closer to equal from a criticality perspective. The CISO role should report to the CRO much more directly or if not, at least on a split reporting basis.”

Andrew Mahony, Head of Cyber Risk for Aon in Asia notes that “not long ago, some of our clients at a CRO level, or reporting to the CRO, had difficulty identifying a CISO or their team. That has changed dramatically – across our larger clients we’ve seen a top-down push to bring these functions much closer together.”

Though they come from different backgrounds, unifying the CISO and CRO roles is part of developing a sound overall strategy for assessing and managing cybersecurity. When aligned, the CRO’s understanding of financial risks and premium-bearing control gaps and the CISO’s knowledge of cyber threats and protective controls can help inform the critical governance, operational and technical aspects of building a strong cyber security approach across an organisation.

“As board members now have increased personal responsibility and have the mandate to understand cyber risk much more, roles and their reporting structures are changing so that the board has better access to the people managing it,” Parrant says.

Though CROs and CISOs share the intent to reduce cyber risks, they may not know how much their goals are truly aligned with one another. Part of this disconnect may come from the varying backgrounds of the CISO and CRO.

“Other leaders can assist to bring the CISO and CRO together to support cyber security. CFOs often oversee the functions of CROs and CISOs,” Mahony explains. “If the CFO has greater understanding of how investing in adequate cyber controls translates to mitigating financial impact from cyber attacks or limitations in coverage, they can encourage other stakeholders to be more proactive in supporting critical initiatives.”

In addition to international legislation like the GDPR, states, countries and even industries have their own regulatory requirements surrounding data protection and cybersecurity.

Parrant says that the US is currently ahead of Australia from a security uplift perspective, however with the Australian government’s objective of being the most cybersecure country by 2030, it is important to learn more from global partners.

“One thing that puts Australia on a level with countries such as the US and those in the Euro zone is the change in privacy regulations. We've gone from zero to now potentially being the most draconian country in the world when it comes to these fines and penalties. So that really elevates us sharply. Australian businesses need to consider things differently in future because that will materially change the world for certain organisations. There's the big question of whether the regulator will actually issue fines or penalties, but at the end of the day, they're going to look to hold up some examples to set the tone,” Parrant explains.

In Asia, Mahony says “there is a steady migration towards a GDPR-like model, driven in part by the need for countries to meet EU adequacy requirements for the movement of personal data. On paper, enforcement measures under some of these regulations are severe, particularly the percentage of annual turnover which may be at risk for a serious infringement, but it remains to be seen whether the actual penalties imposed will match that severity, which can make it difficult for companies to understand their true exposure.”

The needs of certain industries may inspire closer collaboration between CISOs and CROs, though a unified approach to cyber security is important for all businesses.

“Broadly, Aon’s role is managing risk for an organisation, so naturally we work closely with CROs or similar titles, and connect the dots to others, such as cyber security specialists, to raise the importance, or the relevance, of those individuals to a more needed level,” Parrant says.

Parrant further explains, “the CRO has different threads to pull upon as needed for overall risk management. Aon helps to identify what that risk is through cyber impact analysis which identifies the financial risks, as well as the thematic behind those risks. We work to get the people managing the risk a bigger seat at the table than what they had a few years ago to say ‘this is what a bad day could look like for us’.”

Drawing the CRO and CISO roles closer together is also increasingly important from an insurance perspective.

“The CISO is working to lower the risk profile and improvements made to better protect the organisation is a success story the CRO can tell during placement discussions,” Mahony says. “Better communication between the two roles empowers them to do that.”

A mature approach to cyber security could improve outcomes in terms of coverage while also minimising financial and reputation risks.

According to Mahony, the rise of ransomware over the recent years has driven “a significant increase in technical rigour from clients and underwriters alike. The underwriting process has become far more onerous, but many organisations are seeing the benefits of undergoing an assessment by insurers which are seeing – and paying – very large losses and which have a vested interest in their cyber resilience.”

By including the CISO and CRO in a shared conversation about cyber risk early, companies may be able to avoid future losses.

“It is so encouraging to see that the cyber maturity of organisations across the Asia Pacific region has been increasing and improving over the last few years as a result of this closer relationship between CROs and CISOs,” Parrant says. “By realising the two roles face the same scrutiny of cyber controls and both are ultimately focused on the same outcome of a lower cyber risk profile, businesses can take meaningful strides in partnering together to create a culture of cyber resiliency.”