By Jim Wetekamp, CEO at Riskonnect
The days when chief information security officers toiled away in backrooms are over. Today’s CISOs are considered strategic business partners. In fact, Deloitte research shows a significant increase in CISO involvement in strategic conversations and that more CISOs now report directly to the CEO.
Organizations rely on technology for strategy, growth, and revenue. System availability and uptime is non-negotiable, yet a rise of digital threats puts companies at constant risk of disruption. Boards are demanding that CISOs and tech leaders anticipate and proactively manage this growing array of risks to protect the organization’s critical technology. The CISO role and how these leaders address threats are fundamentally changing as a result.
New Generation of Digital Risks
CISOs face a wide range of evolving digital risks that make it more challenging than ever to keep the organization and its technology secure and running smoothly.
Technology adoption
Eighty percent of senior executives intend to boost spending on new technologies this year. Companies are strategically adopting AI tools, automation, cloud technology, and other advanced and emerging tech to boost productivity, streamline operations, improve decision-making, enhance customer experiences, and ultimately maintain a competitive edge.
Every new piece of technology the organization adopts, however, opens the business up to risk. While these new tools deliver many benefits, they also expand the attack surface and create vulnerabilities. New tools can also reduce overall system performance and lead to potential downtime during deployment if not seamlessly integrated with existing systems.
Advanced cybersecurity threats
Cyber risk now surpasses economic and talent risks as the top concern for organizations. According to Riskonnect’s New Generation of Risk Report, 72% of executives say cyber threats significantly impact their organization. Twenty-four percent of executives specifically cite AI-powered attacks – such as ransomware, phishing, and deepfakes – as their top business risk for the next 12 months. Despite this growing threat, 80% of organizations lack a dedicated strategy to address AI-driven fraud attacks and other generative AI risks, which leaves organizations exposed.
Cybercrime costs companies approximately $10.5 trillion annually. The global average cost of a data breach is currently estimated at $4.45 million. Ransomware demands average $2 million, plus another $2.75 million in clean-up costs. The consequences of cybercrime go beyond financial losses. A single breach or attack can lead to reputational damage, regulatory scrutiny, and operational disruptions that have lasting effects. Given the business impact of these risks, it stands to reason why CISOs’ influence is growing, and these tech leaders are increasingly seen as strategic business partners.
A lack of AI governance
The rapid integration of AI into business operations creates major challenges in governance and oversight. Only 8% of organizations feel prepared for AI and AI-governance risks. Just 19% of organizations have formally trained or briefed their entire organization on generative AI risks.
Inside threats are just as serious as those that come from outside an organization’s four walls. Employees, partners, contractors, and suppliers with system access can compromise security, maliciously or unintentionally, from accidental data exposure from improper handling to deliberate data theft and extortion. There’s also the risk of system failures from employees using AI tools incorrectly or the AI model making unauthorized decisions or changes. The pressure to drive fast value from AI could also lead teams to cut corners on security governance or sidestep the IT function altogether.
Third-party risks
As more vendors embrace AI tools, third-party risk grows exponentially. At least 15% of data breaches involve a third-party or supplier, with some estimates closer to a third or more, and AI further amplifies this risk. Sixty-five percent of organizations lack policies governing AI use among suppliers, which creates critical security gaps. But AI isn’t the only factor. A faulty software update, such as the case with the notorious CrowdStrike incident, or another event at a vendor partner could shut down your critical operations if you don’t have a comprehensive approach in place for digital risk management.
How the CISO Role is Evolving
CISOs used to be zeroed in on protecting the company’s information. The focus was on implementing security measures like firewalls, intrusion detection systems, and data encryption to ward off potential threats. But given the growing reliance on system availability and the array and severity of digital threats on organizations’ systems, IT risk is now a core business risk – and the expectations of the CISO role are that much greater.
CISOs need a deep understanding of the organization’s exposure and resilience for the full array of digital risks – not just data breaches and information security issues. They’re expected to:
- Safeguard the organization’s critical technology and future aspirations from cyber threats.
- Develop and implement a comprehensive strategy to address cybersecurity, IT risk, resilience, business continuity, compliance, AI, third-party risk, and more.
- Drive digital resilience and help the business recover quickly from events that occur.
- Provide insights to the board on the effectiveness of processes and controls.
- Identify necessary changes to IT, cyber, and AI practices to protect the business.
- Convey technical information in a way that other leaders and frontline users across the organization understand.
The CISO role is transforming. And so is how these tech leaders approach managing digital risks that could take the company down instantly.
Three Ways to Maximize CISO Impact
There are three steps for CISOs to consider as they rise to meet their growing expectations and take ownership over their expanding responsibilities for protecting prized technology and the organization’s future aspirations and viability.
1. Shift your mindset beyond ‘detection.’
Intrusion detection systems, security information and event management systems, vulnerabilities scanners, and other tools still certainly have their place. But they’re not the end-all, be-all. Even the most advanced cybersecurity measures can’t eliminate your risk. As the expectations on CISOs grow and evolve, risk management approaches need to transform alongside.
Today’s digital risks extend well beyond malware and breaches to include regulatory challenges, third-party vulnerabilities, and operational disruptions. CISOs need a proactive and holistic approach to preventing, managing, and recovering from the full spectrum of digital risks. A focus on detecting vulnerabilities, attacks, and mishaps alone overlooks critical sources of risk and leaves organizations exposed.
2. Focus on a unified technology risk management strategy.
Gone are the days of inventorying risk, identifying anomalies, and patching vulnerabilities component by component. Today’s attack surface and risk spectrum are simply too large. There are too many assets, systems, business services, users, teams, controls, servers, devices, and regulations to manage. Risks are also interconnected and can span across the whole company. The only way to stay on top of it all is with a proactive, comprehensive, and structured approach that coordinates across multiple stakeholders and departments.
Leading CISOs recognize the sheer scale of digital risks that could harm the business. Managing technology risks means not just getting insight on IT risks and controls, but also third-party risks, compliance, business continuity, resilience, data privacy, and more.
The focus has now shifted from IT risk management to technology risk management. Technology risk management identifies, anticipates, and addresses the broader risks of technology failure to ensure smooth and uninterrupted operations. It brings together various risk domains and the strategies, processes, systems, finances, and people to manage risks across the entire organization, including cyberattacks, ransomware demands, data breaches, service outages, equipment breakdowns, human error, and more.
A unified strategy also requires close collaboration with executive leadership, IT teams, business units, and external partners to foster a culture of resilience and shared responsibility.
3. Get a holistic view of digital risks.
CISOs need to know where the organization’s digital risks lie, what they mean, how they link to business strategy, and what to do about them. Start by identifying the organization’s technology assets and partners. Inventory all networks, devices, infrastructure, software, data, processes, and people. This includes developers, users, tech staff, and others that operate the technology.
Then, assess the risks. Evaluate the organization’s digital infrastructure, systems, processes, vulnerabilities, and existing controls. Determine the likelihood and potential impact of these risks from both internal and external sources.
Some risks are important to avoid completely because they aren’t worth the potential damage. Others might be worth accepting, such as risks that come with new technology. There also could be risks that are best to transfer the responsibility to another party, usually through insurance or outsourcing. Regularly reassess these risks and response plans and adjust plans as necessary. Stay ahead of these and other emerging risks by continuously monitoring the digital threat landscape and planning for various scenarios.
A Spotlight on CISOs
It’s an exciting time for CISOs. Digital transformation is accelerating across industries, and their role is rapidly expanding to take on the growing challenges of operating a business in the digital age. CISOs hold the keys to ensuring the business can confidently embrace new technology without compromising security or stability.
About the Author
Jim Wetekamp is the CEO of Riskonnect, a leading provider of integrated risk management software. He is a recognized expert on insurable risk, enterprise risk, and resilience.
