Call us on 03450 21 21 51

What’s the difference between CISO and SIRO? Everything you need to know
The SRM Blog

What’s the difference between CISO and SIRO? Everything you need to know

Ian Armstrong

Written by Ian Armstrong

9th June 2020

Share this article

What's the difference between CISO and SIRO

Acronyms. You either love them or you hate them.

In the world of business it’s hard to keep away from acronyms for long. When time means money it’s often necessary to expedite terms, phrases and sentences by distilling them down to a select few letters. And it has to be said that in the world of cybersecurity we’re guilty of bandying about our fair share of cryptic clues – ones that those in the loop understand instantly, while those new to the industry may need a quick Google search to decode.

Of course, at SRM we understand that part of our role when working with clients is to cut through the technical jargon and help organisations to understand the ins and outs of information security. So, when our Live Chat tool (which you’ll see in the bottom right corner of your screen) fielded the same question twice in one week, we thought it might be a good idea to craft a blog post on it.

That question was: What’s the difference between CISO and SIRO?

Or to translate that: What’s the difference between a Chief Information Security Officer and a Senior Information Risk Owner?

Let’s get started.


What is a CISO?

A Chief Information Security Officer, or CISO, is responsible for maintaining an organisation’s information and data security. It is often used interchangeably with other titles such as CSO (Computer Security Officer) and BISO (Business Information Security Officer). As digitalisation becomes a larger aspect in businesses and industries as a whole, the importance and remit of the CISO continues to expand and diversify.

A CISO is responsible for the day-to-day cybersecurity responsibilities within a business, including:

  • Real-time analysis of immediate and possible threats
  • Keeping in the loop of current cyber risks and understanding security problems that may arise before an issue occurs
  • Data loss and fraud prevention
  • The architecture of security, including planning, buying and rolling our security hardware and software, as well as ensuring the best infrastructure is in place
  • Ensuring only authorised persons can access business data and systems
  • Implementing programs and projects to mitigate risks
  • Investigations into breaches in an effort to avoid similar incidents in future
  • Making sure all security initiatives run smoothly
  • Design, development and implementation of an Information Security Awareness programme

Depending on the shape, size and nature of an organisation, a CISO role can be a full-time job or it can be an additional role given to a team member with other duties. In either case, it is imperative that the individual has the requisite knowledge to undertake such a role in a competent and professional manner.

Due to the ever-growing demands of the position, however, it is notoriously difficult to fill this type of role with a professional experienced in multiple fields. In such cases, retaining an experienced external consultant to fulfil CISO duties is often the preferred option. At SRM we perform such a role for a number of our clients as a Virtual CISO – or vCISO.

Find out more here.


What is a SIRO?

The role of a Senior Information Risk Owner is one normally undertaken by an Executive Director or at least a member of an organisation’s Senior Management Team. This person takes on overall responsibility for an organisation’s information risk policy.

SIROs have a responsibility to understand how the business goals of an organisation may be impacted by any risks to data, including those related to information security risks, and are also there to put steps in place to help determine the most appropriate risk mitigation. SIROs are there to implement government standard information security measures, helping organisations meet legal guidance and policies for operation.

As such, SIROs are particularly common in industries such as Health and Social Care.


What challenges do professionals in these positions face?

It can be difficult to find individuals with the experience and skillset necessary to take on such demanding roles within an organisation. And once the right individual is found, provisions, additional support and resources will be necessary. After all, the world of cybersecurity must constantly evolve in order to stand strong against criminals in their many guises.

Poor recruitment efforts are commonplace in many such roles. This is understandable in many cases because boards and senior managers typically don’t possess the job-specific expertise to be able to distinguish between good candidates and average ones.

The shortcomings of an applicant often only become evident when a problem occurs and the role becomes too much for an incumbent. This can lead to periods of disruption within the business.


Enlisting security while working remotely

If your business has identified the need for genuine information security and risk expertise and you are looking for a cost-effective and reliable solution to your requirements, our VirtualCISO™ and VirtualISM™ (Information Security Manager) services may be just what you are looking for. This is particularly relevant for those organisations currently transitioning to a more flexible, remote working model, which has placed strain on in-house IT resources.

In larger organisations, we are able to work closely with in-house CISOs and SIROs to provide additional support – be it on a specific project or simply to meet the requirements of a sizeable organisation where one professional cannot manage all security and risk responsibilities alone.

Interested to find out more? Get in touch today by clicking here.

Back to top