Are your CISO and CPO on the path to collaborative risk management?

Pamela Hrubey, Michael Lucas
Collaborative risk management for CISOs and CPOs

When an incident occurs involving personal data or sensitive information, many organizations bring together their chief information security officer (CISO) and chief privacy officer (CPO) to help formulate a response and identify a root cause. All too often, though, that’s the only time when these two leaders and their information security and privacy teams collaborate to address a challenge.

One reason for this lack of collaboration is that these teams often take the narrow view that information security is a technology challenge while privacy is more of a legal or governance challenge. In those instances, CISOs and CPOs might be missing out on convergence opportunities that would allow them to proactively identify and mitigate potential risks the organization is facing.

While CISOs and CPOs use different metrics and data points to measure performance for their unique teams, your organization might want to consider establishing common controls that can foster collaboration between the two so that it can manage risk more consistently and proactively.

Many organizations don’t appreciate the natural overlap between CISOs and CPOs

The continually evolving risk landscape can blur the lines of responsibility between your CISO and CPO. Many CISOs might overestimate just how much they can influence privacy risks. Likewise, CPOs might think the CISOs are the only ones who need to deal with cybersecurity risks.

As a result of that disconnect, CPOs and CISOs sometimes feel misunderstood or disconnected, making a collaborative risk management strategy difficult to implement. But the responsibilities of risk management don’t need to belong to a single person or team. Risk management is an organizationwide responsibility that benefits from leadership, proactive engagement, ongoing teamwork, and strong communication by information security and privacy teams.

Building a risk-based approach into the fabric of your organization can help reveal all the areas where information security and privacy interconnect. Rather than reacting to incidents as they occur, your CISO and CPO can proactively work together to understand the potential risks facing your organization and how to protect the organization and your customers.

Improved collaboration helps make risk management more consistent, visible, and efficient

Improved collaboration helps make risk management more consistent, visible, and efficient

Information security and privacy incidents are two of the top risks nearly all companies face, and that dynamic affects how CISOs and CPOs work together in a number of areas, including:

  • Breach management and notification
  • Data protection
  • Access management
  • Training and awareness

For example, having one data protection policy that addresses privacy and a different version for information security can be redundant and extremely confusing to employees. Instead, CISOs and CPOs can approach the risk framework together to identify common risk language, controls, awareness campaigns, and governance programs that holistically support both information security and privacy.

Manual tools make collaborative risk management difficult to achieve

As organizations face an increasingly complex risk landscape due to new products and services, mergers and acquisitions, and a global marketplace, CISOs and CPOs often find it difficult to identify and manage risks clearly and consistently. A technology platform that centralizes risk information, monitors risk metrics, and creates visibility for reporting can help foster collaborative risk management and illuminate the resulting value for the organization.

That’s why we created the Crowe Risk Intelligence Suite, which helps you build a risk-based approach to information security and privacy with a library of common content that can be monitored throughout the business. The Crowe Risk Intelligence Suite relies on the strengths of traditional governance, risk, and compliance tools in three key areas:

  1. A library of leading practices related to risks, key risk indicators, key performance indicators, and mitigation plans
  2. A framework to retrieve data from key business systems to analyze data and convert into quantifiable metrics
  3. A tool that measures the potential economic risk related to privacy, cybersecurity, and third-party risk management

Let’s connect

Want to learn more about how your CISO and CPO can take advantage of a collaborative risk management process? We’d be happy to talk. Contact us, and we’ll make time to chat.
Pam Hrubey
Pamela Hrubey
Principal, Consulting
Michael Lucas
Michael Lucas