Information Risk Management

How CISOs Can Build a True
Risk Management Function

The New

Data breaches and other information and technology incidents can cost upwards of a billion dollars, cause substantial damage to companies' reputation and brand, and cost executives their jobs.

With the rise of these information risks, the opportunities for the Chief Information Security Officers (CISOs) have changed dramatically. Information Security budget and headcount have increased more than 200% in the last four years. And the need for security is clear to business leaders – even up to boards of directors – who are now on notice that they have a fiduciary responsibility to manage information risk.

True Risk Management

True risk management means understanding that there is a correct level of risk, neither too high nor too low.

Burdensome policies or controls can slow businesses down and excessive risk aversion can lead to poor strategic decisions. Enterprises must ensure that risk decisions balance risk levels against the cost of risk reduction and the business benefits at stake.

Latest Technology Trends =
New Opportunities

IT legacy value continues to decline and new technologies are disrupting entire industries. Discover this year’s emerging trends and get practical insight on how to use them. Build the case for more technology investment and plan your next move with ideas and resources on:

  • Managing cybersecurity in a more connected world
  • Improving user experience with artificial intelligence, conversational interfaces and deep learning
  • Securing the Internet of Things
  • Coordinating cloud solutions

From Risk Reduction to
Better Risk Decisions

To build a true risk management function drives good risk decisions, CISOs must:  

  1. Create a Business-Relevant Risk Management Framework
  2. Define and Socialize Decision Rights
  3. Align to the Business’s Risk Appetite
  4. Formalize Interfaces with Other Risk Management Functions

A New Approach

Adopting True Risk Management is more than a matter of a few policy changes. CISOs must rethink their approach.

  • Information Security shifts to facilitating risk decisions by the true owners of risk.
  • Processes are simplified for business partner participation.
  • Information Security expands engagement beyond IT and becomes embedded in business operations.
  • Security staff expand skills to include "soft" skills, such as business results orientation and organizational awareness.
  • The security function formalizes processes with other risk management functions.

Staff Competencies
That Matter Most

Sixty-seven percent of Security employees interact with someone outside the Security function every day. The Security function is shifting to a more consultative, integrated model—one in which behavioral competencies are the most critical factor in Security staff effectiveness.

The corporate athlete is a Security employee who is good at a variety of business functions and also has a strong security expertise.

Tony Spinelli
Former Senior Vice President, Chief Security Officer
Equifax, Inc.

Meet the Experts

Meet the team behind our Information Risk Management insights.

Jeremy Bergsman

IT Practice Leader, CEB Information Risk Leadership Council and CEB Enterprise Architecture Leadership Council

Read Biography

Andrew Horne

IT Practice Leader, CEB CIO Leadership Council


Read Biography

Keep Up with the Demands
of Digital Ecosystems

Business models are shifting. At Gartner Symposium/ITxpo learn how to reduce technical debt faster so you can focus on the opportunities of digital ecosystems. Equip your business with what it needs to grow, such as:

  • More digital security investments and skills
  • Core systems and architectures that are interoperable beyond your walls
  • Platform business models 
  • Ecosystem modeling
  • New ways of matching partners, providers and users to create value

The Product

Team Solutions Plus

We empower you and your team to succeed on your key initiatives and projects. All Team Solutions Plus products, available at multiple levels, offer shared access to targeted research and insights, expert research advisors and practitioner perspectives in order to:

  • Make more informed decisions 
  • Work more efficiently as a team
  • Drive better business results faster

CISO Coalition™

An expert network of security leaders creating and refining approaches to information risk management. Key benefits include:

  • Pickup teams that collaborate on specific emerging threats
  • Weekly Help Desk
  • Daily Security Briefing
  • Peer-led webinars

We had an attack this year and reached out to our contact at CISO Coalition. Within five hours, 14 CISOs offered us their guidance.

Catharina “Dd” Budiharto
Director, Information Security
Chicago Bridge & Iron Company

Leadership Academy

An intense 12-week online development program develops your risk managers, cybersecurity professionals, and teams  on what it means to think and act as a cybersecurity leader. 

This collaborative readiness program is led by Fortune 500 CISOs and peers who deliver their proven frameworks and insights on how to protect data assets and the enterprise brand.

Case Studies

Business-Driven Risk and Control Framework

TD Bank's end-to-end risk and control framework greatly reduced the level of effort required to complete risk assessments.

Driving Engagement Skills Down the Organization

Equifax drove higher performance and innovation levels by developing security skills throughout the Information Security function.

Decision-Making Resources


Information Security Strategy on a Page

How to communicate a clear, concise, and measurable strategy for the Information Security function

Case Studies

Defining Ownership of Risk Decisions

How Air Products built a framework to identify the true owners of risk to speed and improve decision quality.


Five Principles of Cybersecurity Board Presentations

Considerations and tips for presenting to the board of directors and senior leaders about cybersecurity

Unlock These
Resources Now

Company Information

Professional Information

We value your privacy, and will not share your information without your consent.

Company Information

Company Information

Primary Interest

We appreciate your interest in CEB. If necessary our team will be in touch soon.

Thank you,


Success Stories


Recent Blog Posts

Featured Press

Don’t Let Hackers Hold Your Business To Ransom

Ransomware is just one example of advanced, persistent cyber-threat that firms face. Here are four steps to reduce the threat ransomware poses to firms.

Addressing The Runaway Demand For Information Security

With organizations going through digital transformation,IT leaders must fundamentally change how information security services are delivered.

Security Talent Management for the Digitization Era

Three key shifts information security leaders must make to successfully compete for, hire, and manage the best talent for the digital era.

The CISO Coalition helps security professionals to capitalize on our combined knowledge to protect our respective environments. 

Marc Varner
Global CISO