Podcast 23 mins
Better Being Series: Understanding Burnout in the WorkplaceFor Cyber Readiness, the CISO and CRO Join Forces
As cyber attacks increase and become more costly, cyber security coordination across business units has become more important than ever. By bringing the chief information security officer (CISO) and chief risk officer (CRO) together, companies can take a proactive approach to minimizing cyber risks.
Key Takeaways
-
The CISO and CRO may not have always worked closely with one another, but cyber risks are bringing the two roles together.
-
New regulatory requirements and an increase in cyber threats following the COVID-19 pandemic have prompted businesses to re-examine their cyber security strategies.
-
Collaboration between the CISO and CRO to understand the organization’s true cyber risk posture is a key part of an organization’s overall cyber health.
Overview
Cyber attacks are on the rise, with ransomware, digital impersonation, cyber espionage and data breaches prompting businesses to find new solutions for managing cyber risk. Organizations are learning that collaborations between the Chief Information Security Officer (CISO) and Chief Risk Officer (CRO) are increasingly necessary to coordinate cybersecurity efforts.
“These leaders are finding it increasingly necessary to partner together because the underwriters are looking for very specific and technical controls about how their security program runs,” says Dave Dalva, SVP, Cyber Resilience and Stroz Friedberg Digital Forensics and Incident Response at Aon.
“With the CRO’s focus on improving risk transfer insurance outcomes and the CISO’s focus on budget approval for cybersecurity initiatives, the two roles must now work in concert with each other,” says Jenifer White Visek, Vice President, Proactive Cybersecurity Advisory at Aon. “Whether they know it or not, they're speaking the same language.”
In Depth
Though they come from different backgrounds, unifying the CISO and CRO roles is part of developing a sound overall strategy for assessing and managing cybersecurity. When aligned, the CRO’s understanding of financial risks and premium-bearing control gaps and the CISO’s knowledge of cyber threats and protective controls can help inform the critical governance, operational and technical aspects of building a strong cybersecurity approach across an organization.
In the private equity investor community, not only does bridging the gap between the CISO and the CRO support a holistic approach to risk, it also speaks to the concerns of leaders today. “CFOs of portfolio companies, operating partners who manage the portfolio companies and deal team members want to understand more about ransomware and learn about trends in cyber insurance,” Dalva says. “It's certainly something that's top of mind now at the board level.”
Cyber and Insurance Risks in a Post-Pandemic World
In the years since the onset of the COVID-19 pandemic, cyber attacks have increased. Remote work and other post-pandemic workplace realities resulted in unexpected insurance losses and payouts and added to the complexity of insurance and cyber risk, according to White Visek.
“Those losses prompted insurance markets to take a much closer look at organization’s cybersecurity controls, and for the first time we saw absence of controls influence insurability,” adds White Visek.
Though CROs and CISOs are both intent to reduce these risks, they may not know how much their goals are truly aligned with one another. Part of this disconnect may come from the varying backgrounds of the CISO and CRO — but taking a more comprehensive approach to cyber risk management could bring these two roles together, in addition to uniting other roles in the organization.
“Whether it's CFO or general counsel or Chief Operating Officer, enterprises should take a more holistic view of cyber risk,” says Dalva. “Cyber risk is not just about protecting yourself, it's not just about insurance and it's not just about being able to manage incidents. It's really all of it together. It's a continuum.”
Whether it’s the CFO or general counsel or chief operating officer, enterprises should take a more holistic view of cyber risk.
The Role of Regulation
In addition to international legislation like the GDPR, states, countries and even industries have their own regulatory requirements surrounding data protection and cybersecurity. Dalva notes that the Securities and Exchange Commission (SEC) is now taking a closer look at cyber risk, and a range of industries are increasingly affected as well.
“Some industries are more highly regulated and have more potential regulatory impact like financial services and healthcare, but everybody has this problem,” says Dalva.
Regulatory requirements are also prompting businesses to reassess what they know about cyber risk and how they approach it through reporting and internal strategies; recent SEC guidance proposes much stronger governance and board awareness of cyber hygiene. “That is a testament to the fact that interest and awareness of cyber risk will continue to be a top business priority,” White Visek says.
CISOs and CROs Working Together
The needs of certain industries may inspire closer collaboration between CISOs and CROS, though a unified approach to cybersecurity is important for all businesses.
“The more mature and advanced companies tend to be, like financial services and investment banks, the more they have to lose,” Dalva says, adding that private equity firms are becoming more attuned to cyber risk due to the impact cyber losses have on companies.
“While healthcare, retail and financial industries have historically been primary targets due to the amount of sensitive data held, the rise of ransomware has been a game changer,” adds White Visek. “We have seen cyber breaches in every industry class. Every organization is a potential target, and the need for a strong foundation of cyber controls has never been more important.”
Other parts of a business can also help in bringing the CISO and CRO together to support cyber security. “CFOs often oversee the functions of CROs and CISOs,” Dalva explains. “If the CFO has greater understanding of how investing in adequate cyber controls translates to mitigating financial impact from cyber attacks or limitations in coverage, they can encourage other senior leaders and stakeholders to be more proactive in supporting critical initiatives.”
Developing a big-picture understanding of how roles work together within a company can also help in minimizing cyber risk. “The CISO is working to lower the risk profile and create standards and controls that meet or exceed cyber security frameworks or guidance,” White Visek says. “Improvements that IT and security teams have made to lower the attack surface and better protect an organization’s data and infrastructure is success story that the CRO should be able to understand and articulate during placement discussions.”
By including the CISO and CRO in a shared conversation about cyber risk early, companies may be able to avoid future losses.
“If the CISO and CRO don't work together proactively, they're may to have to work together reactively,” Dalva says. “Incidents are stressful situations that affect all company stakeholders, and impact their ability to perform their normal jobs.”
A mature approach to cyber security could improve outcomes in terms of coverage while also minimizing financial and reputation risks. And alignment between the CISO and the CRO should be built into the roles from the beginning.
“By realizing that these two roles will face the same scrutiny of cyber controls from different stakeholders, but ultimately need the same outcome (to lower the organization’s cyber profile), organizations can take meaningful strides in partnering together to create a culture of cyber resiliency,” says White Visek.
The CISO is working to lower the risk profile. The fact that they’ve done that is a success story that the CRO can tell during placement discussions — they haven’t been empowered to do that before because those two people haven’t talked.
General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates. The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series Asia
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series Pacific
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Article 8 mins
U.S. Rail Sectors Work to Mitigate Capacity and Pricing Risk Issues
U.S. freight and commuter rail industries are facing excess liability and property issues for different reasons. These railroads are critical to infrastructure and vital to the economy, yet finding effective solutions remains complex.
-
Article 11 mins
D&O Risks and Considerations for Businesses Planning an IPO
As private companies prepare for an IPO, they face increased risks that require directors and key leaders to adopt essential risk management strategies to ensure a smooth transition.
-
Article 10 mins
How Public Entities and Businesses Can Use Parametric for Emergency Funding
As climate change intensifies the frequency and severity of extreme weather events, public entities and businesses need more flexible funding solutions. Parametric stands out as an adaptable resource capable of swiftly responding to potential disasters.