As the FAIR model and risk quantification brings cyber risk management in line with the rest of enterprise risk management, the roles of CISO and CRO also pull closer together. A panel discussion at the recent 2018 FAIR Conference showed a cooperative CISO/CRO relationship in action – Omar Khawaja, CISO at Highmark Health and Dennis Cronin, CRO at Highmark got into details on how they tag team cyber risk reporting, with input from moderator Amjed Saffarini, CEO, CyberVista and Mary Ann Blair, CISO, Carnegie Mellon University, the host for FAIRCON18.
Some tips from the discussion, especially for CISOs:
- Make sure to align methodologies for cyber risk management with the ERM program.
- Develop a direct reporting relationship by CISO and CRO with the audit committee of the board.
- Reach out to senior executives and develop relationships so they enjoy hearing from you. For instance, Omar recently held meetings with executives to discuss their personal online safety.
- “Make sure we are part of the operational fabric of the organization,” Omar says. “We would much rather the business reach out to us and say, ‘We’re doing this [initiative], can you help us do it safely?‘”
- Keep infosec and risk staffs in constant contact.
- Let everyone know that cybersecurity has high level support from the C-suite and the board.