Within the past seven years, the Information Security role has changed. The Chief Information Security Officer (CISO) role has expanded beyond capacity, and rightly so. Information Security has evolved from a responsive and protective function to an operational risk function. As a result of this evolution, there is now a need to separate the Information Security and Information Risk Security roles.

Day-to-day information security still requires a C-Level position in order to ensure that the defensive operations are functioning and evolving as new threats develop. However, there is now a need to balance the organizational alignment. While the CISO is managing the shop, who is dealing with the ever increasing regulatory mandates? Who is evaluating third party risk? Who is matching the risk appetite of a company based on how much it spends on proactive defensive technology?

This cybersecurity evolution, creates the need for a new role that is not a peer to the CISO, but rather has a more strategic focus. That role is the Chief Information Risk Officer (CIRO).

This is an evolution that is mandated. We can no longer continue to expand the CISO role to the brink of collapse. The average CISO life expectancy in a position is shrinking because of the overwhelming requirements they must meet. Multiple data sources indicate that CISO tenure is currently 17 months on average. Institutions with a cybersecurity team must either expand their contingent teams, and divide and conquer, or hire a risk expert with both a business, information Security, and operational risk management background.

Today’s companies and institutions must face the inevitable when tackling cybersecurity issues. We can no longer just react and spend without taking on a proactive approach. We must evaluate and identify a balanced equation between risk appetite and information risk protection.