Security people come in two flavors: GRC and Security Engineers. Both manage risk.

GRC mitigates regulatory and legal risk. Loss prevention from regulators, lawyers, etc.

Security Engineering mitigates against active adversaries on the cyber domain. Hackers, in other words. Loss prevention from getting hacked.

The CISO is dual hat. They have to run both GRC and Security Engineering.

So who should you hire to be CISO? Someone with a GRC or SecEng background?

And critically, who reports to who?

Depends on your risks as a business. That’s because security is a function of finance.

If your threat model primarily consists of avoiding regulatory fines or lawsuits, and the worst case scenario of getting hacked is mild, then it would be a rational choice to hire a GRC expert to run your compliance-driven security program.

If, on the other hand, your threat model includes hackers exploiting your company systems on the cyber domain, and if the potential financial loss exceeds the regulatory risk, well then clearly your CISO should be an expert in cyber defense. A security engineer.

Most companies need to do both.

The problem tends to come when GRC folks are asked to manage security engineers. Compliance is a vital business function but tends to skew to less technical checklist management types. That is a needed job function, but shuffling paperwork and defending against active adversaries are two completely different skill sets.

In short: The bigger risk leads.

If your real security risk exceeds your compliance risk, then you must hire a security engineer-track CISO to lead your company’s security function.

—

Related: