Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Worth MacMurray: Should CCOs become Cyber-Governance Czars and Czarinas?

In the past few months, The Atlantic, the New York Times, and Time magazine have all featured stories on professional reinvention — changing course at some point during one’s career. It’s a timely topic as employers increasingly adapt to talented individuals’ needs or wishes to work differently, in terms of time, place and subject matters.

Some changes can be dramatic, such as going from a city health care practice to becoming a butcher in the countryside. Other re-inventions can be less dramatic and involve staying in the same job at the same company but taking on an entirely different additional responsibility.

Some CCOs with legal training are already doing this by taking on corporate secretary duties. Other compliance officers are participating in internal audit activities, to get hands-on controls assessment experience.

One emerging corporate need is particularly well-suited to the CCO’s skill set: Cyber-Governance Czar or Czarina.

Cyber-governance, in simple terms, is the corporate (or organizational) governance that applies to an entity’s cybersecurity activities. It’s the human overlay to the technical aspects of cybersecurity protection. And it can be the missing element identified in countless cyber breaches.

As the forensic specialists and regulators do the “lessons learned” analysis after remediation and clean-up, the vast majority of root causes trace back to human error. There are gaps or miscommunications about who was responsible for what. Basic preventive techniques were not employed, etc. And there was no single point of responsibility to identify that these basic non-technical problems existed.

What do CCOs generally do now concerning their existing scope of work?

(1) They identify, analyze and operationally apply standards and leading practices through programs consisting of policies, practices, protocols, controls and communications in various forms.

(2) They interact with all levels of the organization.

(3) They periodically report to senior management and the board on programmatic status and developments, as well as specific compliance trends, and

(4) They investigate and remediate when there are identified instances of non-compliance — including working with outside professionals and regulators.

All four functions apply to a U.S. cyber-governance context.

With respect to (1), cybersecurity leading practices and de facto standards (including both non-technical and relatively straight-forward technical elements) are found in the widely followed NIST (National Institute of Standards and Technology Cybersecurity Framework) and SANS (SANS Institute – The CIS Critical Security Controls for Effective Cyber Defense) frameworks. Some immersion into basic IT is involved, but the beauty of the NIST standard in particular is that it is written to be understandable by non-IT persons.

Through applying these cybersecurity frameworks on top of a U.S. Sentencing Guidelines “effective compliance program” construct, one can create a cyber-governance program that is tailored to your organization’s unique facts and circumstances. If followed, the existence of this program and the CCO as the single point of responsibility can be persuasive in supporting the high ground position of being a proactive “good corporate citizen” in the event of a cyber breach.

Take another look at the activities listed in (2) though (4). The additional cyber-governance role essentially mirrors what the CCO is already doing, albeit with a new and timely subject matter.

Cybersecurity risk is now rated as matching or exceeding overseas bribery risk as the top of mind issue in many board and executive surveys.

CCOs looking for intellectual challenge (and increased compensation, if not heightened attention from headhunters) may want to consider taking on a cyber-governance role. A re-invention possibility may be at your fingertips.


Worth MacMurray is the U.S. General Counsel and Chief Compliance Officer of GAN Integrity Inc. in McLean, Virginia. He can be contacted here.

Share this post


1 Comment

  1. I respectfully disagree. Most of us in the real world are already over-taxed, understaffed, underfunded, and sleep-deprived dealing with matters that are more squarely "compliance". Protecting an organization from a cyber-attack is the responsibility of the CIO. And, I assure you that my compensation will not increase by sticking my head above the parapet on this one, just as it did not with Conflict Minerals, CA Supply Chain, UK Human Slavery, EU Data Privacy, or any of the many other emerging compliance trends for which I have had to take responsibility–and now potentially criminal responsibility if the program fails. No, thank you!

Comments are closed for this article!