“CISOs need to provide input and remediation on the impact of security cost because these often-hidden costs have a negative impact on profitability,” he says. “This is usually overlooked by finance teams when analyzing the true cost of goods sold, and if CISOs are not plugged into the evaluation of business risk, it can easily be dismissed.”
The expansion of Kersten’s remit into business risk isn’t unique. CISOs across industries are increasingly expected to identify and address business risks that in the past had been outside the bounds of their roles.
“While CISOs traditionally focused on protecting systems, networks, and data, today’s business environment requires security leaders to understand how cyber threats impact revenue, operations, customer trust, regulatory obligations, supply chains, and strategic objectives,” says Dale Hoak, CISO at software firm RegScale. “The distinction between business risk and security risk is becoming increasingly blurred.”
