Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
January 25, 2024
3 Min Read
Sofia Wrangsjö via Alamy
At a Glance
- True business advantages lie in incident response and quickly restoring operations that maintain business continuity.
- For IT, risk management is no longer as simple as mitigating risks to protect your business.
- The position isn’t overly popular yet, but CCROs bridge multi-dimensional gaps between building organizational resilience.
Cyber risk management is no longer as simple as mitigating risks; at some point these very risks will become reality. A true business advantage lies in incident response and quickly restoring operations that maintain business continuity. So an organization's ability to anticipate, withstand, recover from, and adapt to adverse events or cyberattacks without jeopardizing its ability to provide valuable services is now a top priority. Even the most promising companies have had to close their doors because of data breaches or other cyber incidents due to their inability to protect their users, assets, and customers.
Therefore, there is a growing need for efficient and effective responses to these threats that align risk management processes and business goals. Businesses need visionaries with a collaborative mindset and a holistic approach. However, cyber resilience hasn’t traditionally been the exclusive role of either the chief information security officer (CISO), chief information officer (CIO), nor others in the C-suite.
Though the position isn’t common yet, some businesses are considering a chief cyber resilience officer (CCRO) as the answer to bridging the multi-dimensional gaps between building organizational resilience. At eSentire, the answer to that question was simple: Tia Hopkins. In February, the global award-winning cybersecurity executive and best-selling author was appointed as eSentire’s first-ever CCRO, after beginning her tenure as its Field CTO. Hopkins spoke to InformationWeek about this new role and its growing importance.
Why a CCRO is Necessary Now
“Think about the new [U.S. Securities and Exchange Commission (SEC)] cyber rules and disclosure requirements, because a cyber incident can materially impact the value of a business in the marketplace,” says Hopkins. “We'll see the role popping up more and more as an operational outcome within security programs and more of a focus in business. In the wake of the pandemic and macroeconomic conditions and everything, what business leader isn’t thinking about business resilience? So, cyber resilience tucks nicely into that.”
On the surface, the standalone CISO role isn’t much different because it serves as the linchpin for securing the enterprise. There are many different flavors of CISO, with some being business-focused, says Hopkins, whose teams take on more compliance tasks as opposed to more technical security operations. Other CISOs are more technical, meaning they’ll monitor threats in the environment and respond accordingly, while compliance is a separate function.
However, the stark differences between the two roles lie in the mindset, approach, and target outcome for the scenario. The CCRO’s mindset is “it’s not a matter of if, but when.” So, the CCRO’s approach is to anticipate cyber incidents and make incident response preparations that will mitigate material damage to a business. They act as a lifeline.
This approach is arguably the role’s most quintessential attribute. “So,” Hopkins explains, it’s “shifting from the mindset of ‘I've got to reduce risk’ and that being it, to ‘I've got to make sure my business is resilient’ and that becomes the outcome.”
As Hopkins describes, her previous role as field CTO was more about leveraging technology to solve business problems, while her current role is responsible for eSentire’s end-to-end cyber resilience strategy where she leads a team focused on exposure management.
New Exposures to Manage?
This is the time of year when predictions on next year’s trends run rampant, and generative AI sits at the top of that list for many in the industry. “We're still trying to figure out what generative AI is and the best way to get visibility into it so we can secure organizations that leverage the technology,” says Hopkins. “We're using it on the good side for scalability and innovation, but so are the attackers.”
Emerging threats within emerging technology need to be top of mind for anyone in a role where they're responsible for the security and resilience of an organization, whether that’s your CCRO or board of directors. As business needs continue to evolve and expand globally, so will the workloads on several CISOs – and that may carve out more lanes for CCROs to coexist.
Read more about:Business Continuity/Disaster Recovery
About the Author(s)
You May Also Like