Bridging the Gap: The Collaboration of CISOs and CCOs in Mitigating Cybersecurity and Data Risks

In today’s risk environment, cybersecurity and data privacy have emerged as the top concerns for corporate board members and senior executives, besides financial operations. With the alarming increase in cyberattacks, ransomware incidents, and data breaches, companies have experienced the lasting impact of such events. Consequently, there is a growing realization of the need for proactive risk mitigation strategies in the face of cybersecurity threats.However, boards and senior executives often exhibit a reactive approach to cybersecurity and data protection, primarily due to a steep learning curve in understanding the risks, technologies, and mitigation strategies. Chief Information Security Officers (CISOs) recognize the importance of addressing this knowledge gap and establishing an enterprise-wide system of risk management focused on information technology and security.To navigate this new path, CISOs and Chief Compliance Officers (CCOs) are collaborating in novel ways. CCOs, with their comprehensive understanding of the organization, risk assessment principles, policy implementation, and training programs, serve as excellent partners in addressing cybersecurity risks. They possess the necessary insight into governance, risk management, and audit principles, making them valuable assets in bridging the gap between cybersecurity and compliance.Employees themselves are increasingly aware of the significance of cybersecurity and data privacy in the workplace. Having witnessed the dangers of hackers through news reports and personal experiences, employees are motivated to avoid cyber incidents. However, mitigating internal threats requires educating employees on hacker techniques, the latest risks, and implementing best practices for password protection, phishing avoidance, vendor scams, and information security hygiene.CCOs can leverage their expertise in governance, risk management, training, and auditing principles to support CISOs in addressing cybersecurity challenges. In many companies, CISOs are often regarded as secondary governance functions due to a lack of familiarity among board members and senior executives with executing enterprise governance strategies in this area.Corporate boards are gradually evolving to address cybersecurity risks. Some boards are appointing cyber experts to enhance their cybersecurity capabilities, and if the SEC’s proposed cybersecurity rules are adopted, every board will be required to have such expertise and disclose their cyber capabilities and experience.It is crucial to note that at least 50% of cyber or data breaches result from internal actors, whether through intentional actions or negligence. Disgruntled employees can pose significant threats by bypassing data security controls, stealing trade secrets or data, or causing major breaches. Additionally, employees may fall victim to phishing emails due to a failure to identify suspicious situations and take necessary precautions.CCOs, being experts in developing strategies to mitigate risks and monitoring employee behavior, are well-positioned to address cyber risks created by internal employee behavior. They can expand existing procedures to include basic cyber risks and collaborate with CISOs in several areas:Designing Controls: CCOs can work with CISOs to ensure that employees are unable to circumvent internal information access controls. Together, they can ensure proper physical security for on-site data processing and storage, closely monitoring and protecting access.Training Programs: CCOs excel in designing and conducting training programs. By collaborating with CISO teams, they can ensure employees receive comprehensive training on cybersecurity issues, enabling them to identify and avoid falling for phishing schemes. They can assess training program objectives and make improvements as necessary.Third-Party Risk Management: A significant portion of cyber and data events are caused by third parties. CCOs and CISOs can collaborate to include cyber risks in the overall third-party risk management program, ensuring that appropriate controls are in place to mitigate potential risks.Risk Assessments and Auditing: CCOs possess expertise in conducting risk assessments, designing risk mitigation controls, measuring control performance, and conducting testing and auditing. These skills can be applied to cybersecurity programs, enhancing overall risk management efforts.The collaboration between CISOs and CCOs enables organizations to address cybersecurity and data risks more effectively. By leveraging their respective strengths and expertise, organizations can adopt a proactive approach to cybersecurity, mitigating internal and external threats, and fostering a culture of information security throughout the workforce.