Enter your details below and we'll get back to you.
Share this article
Acronyms. You either love them or you hate them.
In the world of business it’s hard to keep away from acronyms for long. When time means money it’s often necessary to expedite terms, phrases and sentences by distilling them down to a select few letters. And it has to be said that in the world of cybersecurity we’re guilty of bandying about our fair share of cryptic clues – ones that those in the loop understand instantly, while those new to the industry may need a quick Google search to decode.
Of course, at SRM we understand that part of our role when working with clients is to cut through the technical jargon and help organisations to understand the ins and outs of information security. So, when our Live Chat tool (which you’ll see in the bottom right corner of your screen) fielded the same question twice in one week, we thought it might be a good idea to craft a blog post on it.
That question was: What’s the difference between CISO and SIRO?
Or to translate that: What’s the difference between a Chief Information Security Officer and a Senior Information Risk Owner?
Let’s get started.
A Chief Information Security Officer, or CISO, is responsible for maintaining an organisation’s information and data security. It is often used interchangeably with other titles such as CSO (Computer Security Officer) and BISO (Business Information Security Officer). As digitalisation becomes a larger aspect in businesses and industries as a whole, the importance and remit of the CISO continues to expand and diversify.
A CISO is responsible for the day-to-day cybersecurity responsibilities within a business, including:
Depending on the shape, size and nature of an organisation, a CISO role can be a full-time job or it can be an additional role given to a team member with other duties. In either case, it is imperative that the individual has the requisite knowledge to undertake such a role in a competent and professional manner.
Due to the ever-growing demands of the position, however, it is notoriously difficult to fill this type of role with a professional experienced in multiple fields. In such cases, retaining an experienced external consultant to fulfil CISO duties is often the preferred option. At SRM we perform such a role for a number of our clients as a Virtual CISO – or vCISO.
Find out more here.
The role of a Senior Information Risk Owner is one normally undertaken by an Executive Director or at least a member of an organisation’s Senior Management Team. This person takes on overall responsibility for an organisation’s information risk policy.
SIROs have a responsibility to understand how the business goals of an organisation may be impacted by any risks to data, including those related to information security risks, and are also there to put steps in place to help determine the most appropriate risk mitigation. SIROs are there to implement government standard information security measures, helping organisations meet legal guidance and policies for operation.
As such, SIROs are particularly common in industries such as Health and Social Care.
It can be difficult to find individuals with the experience and skillset necessary to take on such demanding roles within an organisation. And once the right individual is found, provisions, additional support and resources will be necessary. After all, the world of cybersecurity must constantly evolve in order to stand strong against criminals in their many guises.
Poor recruitment efforts are commonplace in many such roles. This is understandable in many cases because boards and senior managers typically don’t possess the job-specific expertise to be able to distinguish between good candidates and average ones.
The shortcomings of an applicant often only become evident when a problem occurs and the role becomes too much for an incumbent. This can lead to periods of disruption within the business.
If your business has identified the need for genuine information security and risk expertise and you are looking for a cost-effective and reliable solution to your requirements, our VirtualCISO™ and VirtualISM™ (Information Security Manager) services may be just what you are looking for. This is particularly relevant for those organisations currently transitioning to a more flexible, remote working model, which has placed strain on in-house IT resources.
In larger organisations, we are able to work closely with in-house CISOs and SIROs to provide additional support – be it on a specific project or simply to meet the requirements of a sizeable organisation where one professional cannot manage all security and risk responsibilities alone.
Interested to find out more? Get in touch today by clicking here.