A New Mindset for Managing Information Risk

Kal Bittianda

Kal Bittianda Egon Zehnder, New York

Over the last several years, the role of the chief information security officer (CISO) has undergone a critical transformation from technical guru to core member of an organization’s senior leadership team. But in highly regulated, complex industries such as financial services and healthcare that harbor large amounts of personal information, the role is undergoing a further evolution as sensitive data takes on an increasingly central role in all parts of the business.

This more information-centric environment, which is still taking shape, calls for a different way of thinking about and managing risks within the organization (see Figure 1). This change in thinking includes:

  • A move away from the traditional cybersecurity focus on tactical elements like email hygiene and firewalls to a more strategic view centered on the data itself.
  • Less emphasis on responding to threats and more on instilling appropriate behaviors and managing perceptions of risk.
  • A shift from building higher walls and deeper moats that prevent intrusion to ensuring customized value-based risk management that protects each information asset.

A new profile for a more strategic role

The CISO thus will evolve from the unsustainable “cyber czar” position to become responsible for managing the organization’s information risks, supporting and sustaining the appropriate risk management culture and engaging with the C-suite regarding the use of new technologies and the information-risk implications of entering new businesses. Indeed, we can see the beginning of this shift as some sophisticated organizations (especially in financial services) adopt titles such as “Chief Information Risk Management Officer.” This is a welcome development, given that making cybersecurity everyone’s responsibility has been a longstanding goal of the information security community.

In the years ahead, the new breed of information security leaders will need to focus on:

  • Establishing uniform perspectives and behaviors that can crystalize into social norms regarding the use and handling of information at work—even when those norms are different than those governing how people handle personal information at home.
  • Managing the uncertainty and ambiguity that comes from the shift to a front-line, decentralized approach to information security
  • Having exceptional strategic orientation and the ability to communicate and influence outside of one’s chain of command.
  • Technical savviness and broader business understanding, as the role expands from just addressing cybersecurity threats to the broader mandate of managing information risk.

These changes will only take place, however, after the necessary perception and behavior regarding information risk and security becomes broadly ingrained throughout the organization. Until then, information security leaders will have their hands full creating that consensus and nudging us to a more secure future.

Read the full article From Cyber Czar to Risk Officer: The CISO’s Next Evolution in Security Roundtable

Kal Bittianda

Kal Bittianda Egon Zehnder, New York

Connect with us

  • Find a consultant
    Select an office
    • Amsterdam
    • Athens
    • Atlanta
    • Bangalore
    • Barcelona
    • Beijing
    • Berlin
    • Bogotá
    • Boston
    • Bratislava
    • Brussels
    • Budapest
    • Buenos Aires
    • Calgary
    • Chicago
    • Copenhagen
    • Dallas
    • Dubai
    • Düsseldorf
    • Frankfurt
    • Geneva
    • Hamburg
    • Helsinki
    • Hong Kong
    • Houston
    • Istanbul
    • Jakarta
    • Jeddah
    • Johannesburg
    • Kuala Lumpur
    • Lisbon
    • London
    • Los Angeles
    • Luxembourg
    • Lyon
    • Madrid
    • Malmö
    • Melbourne
    • Mexico
    • Miami
    • Milan
    • Montreal
    • Moscow
    • Mumbai
    • Munich
    • New Delhi
    • New York
    • Oslo
    • Palo Alto
    • Paris
    • Prague
    • Rio de Janeiro
    • Rome
    • San Francisco
    • Santiago
    • São Paulo
    • Seoul
    • Shanghai
    • Singapore
    • Stockholm
    • Stuttgart
    • Sydney
    • Tel Aviv
    • Tokyo
    • Toronto
    • Vienna
    • Warsaw
    • Washington DC
    • Zurich
    Select an expertise
    • Executive Search
    • Board Consulting
    • CEO Practice
    • Executive Assessment and Development
    • Family Business Advisory
    • Diversity and Inclusion
    • Accelerated Integration
    • Financial Officers
    • Human Resources
    • Chief Information Officer (CIO)
    • Legal, Regulatory & Compliance Professionals
    • Chief Marketing Officers
    • Supply Chain
    • Sustainability
    • Communications and Public Affairs Officers
    • Consumer
    •     Consumer Products
    •     Media, Entertainment & Sports
    •     Retail, Apparel and Luxury Goods
    • Financial Services
    •     Asset Management
    •     Retail Financial Services
    •     Investment Banking, Corporate Banking & Markets
    •     Insurance
    •     Private Equity
    •     Wealth Management
    •     Risk Management
    •     Financial Tech
    •     Infrastructure
    •     Sovereign Wealth Funds
    • Health
    • Technology and Communications
    •     Telecommunications
    •     Digital
    •     Systems, Services and Software
    •     Semiconductors
    •     Intelligent Systems
    •     Mobile Devices and Apps
    •     Cybersecurity
    •     Big Data
    • Industrial
    •     Automotive and Transportation Equipment
    •     Building Components
    •     Chemical and Process Industries
    •     Energy and CleanTech
    •     Machinery & Industrial Technology
    •     Mining & Metals
    • Services
    •     Transport & Logistics
    •     Travel & Hospitality
    •     Business Services
    •     Real Estate Services
    •     Professional Services
    • Private Equity
    • Public and Social Sector
  • Your Career