Chief Information Security Officers are struggling to find a balance between their risk-management and information security responsibilties. Chart from Wisegate Community Viewpoints

In a recent roundtable discussion from Wisegate, CISOs across industries confirmed that their roles within organizations are shifting to encompass more risk management responsibilities, an evolution that brings with it a few conflicts of interest.

CISOs are increasingly reporting to the chief risk officer or chief compliance officer in addition to the chief information officer. As part of this shift, organizations are spending more on risk management. While 60 percent of Wisegate members said that they expected no change in spending on security/risk management initiatives trending in parallel to their overall IT spend,  a full 40 percent expected increased spending in that department. No members expected a decline.

But when CISOs are confronted with the legal implications of putting risk management first, it can result in some tension within an organization.

Several members noted that balancing risks with resources and implementing an information security program that traditionally focuses solely on securing the information sometimes upsets the legal requirement to have plausible deniability if something, such as a breach, were to occur.

Members who cited that tension said that they were resolving the issue by “evolving all your people to understand risk management philosophy and help them understand the trade-off here.”

Others stressed that risk assessments are necessary, and they key is to keep the legal team informed but not let them dictate risk assessment processes and procedures. 

For more Global News & Analysis, check out the July edition of Security magazine — available online now.