When CISO meets CCO: leading cyber risk management

Security and compliance leadership must closely collaborate to effectively lead the management of cyber risk across the organisation

Between rapidly evolving cybersecurity threats and increased global regulatory enforcement, there has never been a better time to solidify the partnership between the chief information security officer (CISO) and the chief compliance officer (CCO). As enterprise risk and cyber risk continue to intersect, this partnership allows organisations to respond more quickly, minimise disruption and optimise management across the business.

Top cyber security monitoring tools for your businessHow can your business effectively and cost-efficiently bolster its cyber security defence arsenal? Here are some useful tools.

CCOs and enterprise risk management

Generally speaking, CCOs are often tasked with managing the enterprise risk program – and information security is certainly one of the most pressing risks any organisation faces. However, many still classify cyber risk as separate from other compliance-related risks. A successful CISO/CCO alliance for managing cyber risk hinges on the recognition that cyber risk is not solely a technical concern, but a risk permeating the entire organisation.

So, how can the CCO and CISO work together for a successful partnership? Simply put, they must work in tandem to align the security strategy with the broader compliance and risk management goals of the company. Addressing cyber and compliance risk together helps comprehensively identify vulnerabilities and take preventive measures collectively. When these two roles collaborate, it creates a cohesive approach to addressing the complex challenge of cyber risk and how it intersects with compliance risk.

Challenges in achieving harmony

On paper, of course, this partnership makes sense and seems easy enough. But, in reality, there are often several challenges impeding a successful alliance between the two functions:

  • Differing priorities leading to communication breakdown: CISOs primarily focus on protecting sensitive data and the technical aspects of security. In contrast, CCOs are concerned with legal and regulatory compliance. A lack of effective communication and understanding between the CISO and CCO can hinder alignment and coordination, especially when addressing emerging cyber risks.
  • Resource allocation: Historically, both compliance and cybersecurity are seen as cost centres (not revenue drivers), meaning resources are often sparse for both departments. Securing adequate funding has long been a challenge for both cybersecurity and compliance, but a failure in either area can (and often does) cost millions or hundreds of millions of dollars.
  • Organisational silos: Silos of information can be a point of frustration for every industry., especially between compliance and information security. However, as cybersecurity practices begin to face more regulatory scrutiny, as with the recent NIS2 Directive, the centre of the CCO/CISO responsibility Venn diagram will grow larger.
  • Technology hurdles: Differences in the use of technology, tools, and risk assessment methodologies can pose challenges for alignment and collaboration. Many organisations use disparate systems across departments, meaning information is not always easily shared between compliance and information security.

5 ways AI can transform complianceCompliance is all about rules and AI seems a perfect tool to help overworked compliance officers. We look at use cases for AI when dealing with compliance.

5 tips for driving collaboration

So, how can the CCO and CISO work towards a harmonious partnership? Let’s explore a few ways to drive this collaboration.

1. Shared objectives

Ensure both the CISO and CCO embrace common objectives. Define your organisation’s risk tolerance and compliance requirements. With a shared vision, it becomes easier to set clear priorities and strategies.

2. Regular communication

Establish a framework for regular communication between the CISO and CCO. Meetings on a regular cadence, joint assessments (with a common risk scoring rubric), and shared reporting mechanisms are essential for staying informed and aligned.

3. Cross-training

Encourage cross-training to bridge the gap between the technical and compliance sides. CCOs benefit from understanding the fundamentals of cybersecurity, and CISOs can better grasp the nuances of compliance and legal requirements. Consider rotating appropriate team members between the two departments for a deeper team-wide understanding of both elements.

4. Collaborative tools

Invest in collaborative tools to facilitate information sharing and risk assessments. Implement integrated risk management solutions that offer a holistic view of both cybersecurity and compliance risks.

5. Incident response plan

Develop a comprehensive incident response plan involving both the CISO and CCO from the beginning. This plan should outline roles and responsibilities for each department, ensuring a coordinated response to cyber incidents.

Empowering employees for cyber risk management

The success of any cyber risk management program relies not only on leadership collaboration; employees are a valuable asset in identifying threats, reporting misconduct, and improving internal communication – but only if they are empowered to do so. So, how do you get there? Start with:

  • Education and training: Provide comprehensive cybersecurity training to employees. Make them aware of the latest threats, best practices, and the importance of reporting incidents or suspicious activities promptly.
  • Clear reporting channels: Establish easy-to-use, confidential channels for employees to report security concerns or compliance breaches. Ensure these channels are well-promoted to all employees and easy to access.
  • Regular testing: Conduct simulated phishing, tabletop exercises for risk and compliance failures, and security drills to test employee awareness and response to threats. Use these to identify areas that need improvement and adjust training accordingly.
  • Open communication: Foster a culture of open communication within the organisation. Encourage employees to share ideas, concerns, and feedback regarding security and compliance matters. When employees feel comfortable raising concerns without fear of reprisal, an information gold mine is opened.

6 things you can do to make your IT staff happierHere are 6 ways to make your staff feel better about the daily grind.

The proactive collaboration of the CISO and CCO, along with an empowered workforce, represents a formidable defence against the evolving threat of cyber and compliance risks. This approach not only safeguards the organisation’s digital assets but also reinforces its commitment to compliance and security, fostering trust among stakeholders and ensuring long-term success.

Bob McCarter is chief technology officer at NAVEX.


Why is collaboration between the chief information security officer and the C-suite so hard to achieve?Exploring the challenge of successful collaboration between the CISO and the C-suite.