For Cyber Readiness, the CISO and CRO Join Forces

For Cyber Readiness, the CISO and CRO Join Forces
August 24, 2023 8 mins

For Cyber Readiness, the CISO and CRO Join Forces

For Cyber Readiness, the CISO and CRO Join Forces Hero image

As cyber attacks increase and become more costly, cyber security coordination across business units has become more important than ever. By bringing the chief information security officer (CISO) and chief risk officer (CRO) together, companies can take a proactive approach to minimizing cyber risks.

Key Takeaways
  1. The CISO and CRO may not have always worked closely with one another, but cyber risks are bringing the two roles together.
  2. New regulatory requirements and an increase in cyber threats following the COVID-19 pandemic have prompted businesses to re-examine their cyber security strategies.
  3. Collaboration between the CISO and CRO to understand the organization’s true cyber risk posture is a key part of an organization’s overall cyber health.

Overview

Cyber attacks are on the rise, with ransomware, digital impersonation, cyber espionage and data breaches prompting businesses to find new solutions for managing cyber risk. Organizations are learning that collaborations between the Chief Information Security Officer (CISO) and Chief Risk Officer (CRO) are increasingly necessary to coordinate cybersecurity efforts.

“These leaders are finding it increasingly necessary to partner together because the underwriters are looking for very specific and technical controls about how their security program runs,” says Dave Dalva, SVP, Cyber Resilience and Stroz Friedberg Digital Forensics and Incident Response at Aon.

“With the CRO’s focus on improving risk transfer insurance outcomes and the CISO’s focus on budget approval for cybersecurity initiatives, the two roles must now work in concert with each other,” says Jenifer White Visek, Vice President, Proactive Cybersecurity Advisory at Aon. “Whether they know it or not, they're speaking the same language.”

In Depth

Though they come from different backgrounds, unifying the CISO and CRO roles is part of developing a sound overall strategy for assessing and managing cybersecurity. When aligned, the CRO’s understanding of financial risks and premium-bearing control gaps and the CISO’s knowledge of cyber threats and protective controls can help inform the critical governance, operational and technical aspects of building a strong cybersecurity approach across an organization.

In the private equity investor community, not only does bridging the gap between the CISO and the CRO support a holistic approach to risk, it also speaks to the concerns of leaders today. “CFOs of portfolio companies, operating partners who manage the portfolio companies and deal team members want to understand more about ransomware and learn about trends in cyber insurance,” Dalva says. “It's certainly something that's top of mind now at the board level.”

Cyber and Insurance Risks in a Post-Pandemic World

In the years since the onset of the COVID-19 pandemic, cyber attacks have increased. Remote work and other post-pandemic workplace realities resulted in unexpected insurance losses and payouts and added to the complexity of insurance and cyber risk, according to White Visek.

“Those losses prompted insurance markets to take a much closer look at organization’s cybersecurity controls, and for the first time we saw absence of controls influence insurability,” adds White Visek.

Though CROs and CISOs are both intent to reduce these risks, they may not know how much their goals are truly aligned with one another. Part of this disconnect may come from the varying backgrounds of the CISO and CRO — but taking a more comprehensive approach to cyber risk management could bring these two roles together, in addition to uniting other roles in the organization.

“Whether it's CFO or general counsel or Chief Operating Officer, enterprises should take a more holistic view of cyber risk,” says Dalva. “Cyber risk is not just about protecting yourself, it's not just about insurance and it's not just about being able to manage incidents. It's really all of it together. It's a continuum.”

Quote icon

Whether it’s the CFO or general counsel or chief operating officer, enterprises should take a more holistic view of cyber risk.

Dave Dalva
Senior Vice President, Cyber Resilience and Stroz Friedberg Digital Forensics and Incident Response, Aon
The Role of Regulation

In addition to international legislation like the GDPR, states, countries and even industries have their own regulatory requirements surrounding data protection and cybersecurity. Dalva notes that the Securities and Exchange Commission (SEC) is now taking a closer look at cyber risk, and a range of industries are increasingly affected as well.

“Some industries are more highly regulated and have more potential regulatory impact like financial services and healthcare, but everybody has this problem,” says Dalva.

Regulatory requirements are also prompting businesses to reassess what they know about cyber risk and how they approach it through reporting and internal strategies; recent SEC guidance proposes much stronger governance and board awareness of cyber hygiene. “That is a testament to the fact that interest and awareness of cyber risk will continue to be a top business priority,” White Visek says.

CISOs and CROs Working Together

The needs of certain industries may inspire closer collaboration between CISOs and CROS, though a unified approach to cybersecurity is important for all businesses.

“The more mature and advanced companies tend to be, like financial services and investment banks, the more they have to lose,” Dalva says, adding that private equity firms are becoming more attuned to cyber risk due to the impact cyber losses have on companies.

“While healthcare, retail and financial industries have historically been primary targets due to the amount of sensitive data held, the rise of ransomware has been a game changer,” adds White Visek. “We have seen cyber breaches in every industry class. Every organization is a potential target, and the need for a strong foundation of cyber controls has never been more important.”

Other parts of a business can also help in bringing the CISO and CRO together to support cyber security. “CFOs often oversee the functions of CROs and CISOs,” Dalva explains. “If the CFO has greater understanding of how investing in adequate cyber controls translates to mitigating financial impact from cyber attacks or limitations in coverage, they can encourage other senior leaders and stakeholders to be more proactive in supporting critical initiatives.”

Developing a big-picture understanding of how roles work together within a company can also help in minimizing cyber risk. “The CISO is working to lower the risk profile and create standards and controls that meet or exceed cyber security frameworks or guidance,” White Visek says. “Improvements that IT and security teams have made to lower the attack surface and better protect an organization’s data and infrastructure is success story that the CRO should be able to understand and articulate during placement discussions.”

By including the CISO and CRO in a shared conversation about cyber risk early, companies may be able to avoid future losses.

“If the CISO and CRO don't work together proactively, they're may to have to work together reactively,” Dalva says. “Incidents are stressful situations that affect all company stakeholders, and impact their ability to perform their normal jobs.”

A mature approach to cyber security could improve outcomes in terms of coverage while also minimizing financial and reputation risks. And alignment between the CISO and the CRO should be built into the roles from the beginning.

“By realizing that these two roles will face the same scrutiny of cyber controls from different stakeholders, but ultimately need the same outcome (to lower the organization’s cyber profile), organizations can take meaningful strides in partnering together to create a culture of cyber resiliency,” says White Visek.

Quote icon

The CISO is working to lower the risk profile. The fact that they’ve done that is a success story that the CRO can tell during placement discussions — they haven’t been empowered to do that before because those two people haven’t talked.

Jenifer White Visek
Vice President of Proactive Cyber Solutions

General Disclaimer

The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. Insurance products and services are offered by Aon Risk Insurance Services West, Inc., Aon Risk Services Central, Inc., Aon Risk Services Northeast, Inc., Aon Risk Services Southwest, Inc., and Aon Risk Services, Inc. of Florida, and their licensed affiliates. The information contained herein and the statements expressed are of a general nature, not intended to address the circumstances of any particular individual or entity and provided for informational purposes only. The information does not replace the advice of legal counsel or a cyber insurance professional and should not be relied upon for any such purpose. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner