Why CISOs Must Adopt the Chief Risk Officer Playbook

In the high-stakes world of cybersecurity, success is often measured by the strength of firewalls and the speed of incident response. However, a new report from McKinsey & Company suggests that the most critical asset for any organization isn't a technology—it's the "leadership factory" within the risk function.

As the threat landscape becomes increasingly complex due to AI acceleration, shifting regulations, and geopolitical volatility, the role of the security leader is evolving. For CISOs and their teams, the McKinsey research provides a blueprint for transforming from technical gatekeepers into strategic risk leaders.

The article, "How Chief Risk Officers Can Build the Next Generation of Leaders," identifies four key actions for cultivating a bench of talent capable of navigating today's disruptive environment.

1. Define the modern leadership profile: Technical fluency and compliance are no longer enough. Tomorrow's leaders must be decisive amid uncertainty, maintain a strong external orientation, and harness advanced analytics to drive impact.

2. Broaden the talent aperture: Chief Risk Officers (CROs) are encouraged to look beyond traditional backgrounds. For cybersecurity, this means recruiting talent from data science, business operations, and psychology backgrounds to build a more diverse and resilient defense.

3. Create stretch opportunities: Growth happens during high-priority initiatives. Leaders should place their top talent in roles that force them to balance growth considerations with risk management, such as leading a secure AI adoption project.

4. Build a resilient culture: Modern leadership must be sustained by systems that make career paths visible and celebrate risk management as a forward-looking discipline.

CISO vs. CRO: same language, different dialects

A common question in the industry is whether a company needs both a Chief Risk Officer and a Chief Information Security Officer (CISO). While their goals often overlap, they occupy distinct spaces in the organizational chart.

• The CRO: This role has an enterprise-wide scope, overseeing financial, market, operational, and reputational risks. They focus on the organization's overall risk appetite and ensuring capital is allocated effectively to manage a diverse portfolio of threats.

• The CISO: This role is a specialized subset of risk management focused on digital assets, data integrity, and system availability. While many CISOs once reported to the CIO, many are now moving to report directly to the CEO, the board, or the CRO to ensure their risk assessments remain unbiased by IT performance goals.

In larger enterprises, it is common to have both roles. In this structure, the CISO often functions as a "business risk" leader specifically for the cyber domain, while the CRO integrates those findings into the broader corporate risk profile.

Understanding the difference in what these two leaders look for is key to collaboration.

Primary goal for CRO: Protect the organization's financial health and long-term viability. Primary goal for the CISO: Protect the confidentiality, integrity, and availability of digital assets.

Key metric for CRO: Risk-adjusted return on capital and insurance premium outcomes. Key metric for CISO: Mean time to detect (MTTD), threat actor activity, and control effectiveness.

Focus area for CRO: Market shifts, credit risk, geopolitical crises, and supply chain fragility. Focus area for CISO: Vulnerabilities, phishing campaigns, ransomware, and insider threats.

Outcome for CRO: Ensuring the business can survive any "bad day," financial or otherwise. Outcome for CISO: Ensuring the digital infrastructure is resilient against constant attack.

From the report:

• "Based on our research and experience, we believe the 21st-century risk leader embodies five critical traits:

• • Business fluency as a core skill: Risk leaders are expected to shape business outcomes and establish the organization's risk stance by demonstrating commercial awareness and operational excellence in their role. This becomes even more critical as CROs increasingly serve as strategic partners to the business, helping to balance growth and prudence in an environment of heightened uncertainty and rapid change. In many organizations, up to half of risk officers were previously in senior business roles. 'The role of the CRO is to actually take risk to grow the business,' said Nigel Williams, former CRO at Commonwealth Bank. 'It is about choosing where you want to grow and what risks that you take.'

  • Emerging technical and domain mastery: Emerging risk areas such as AI, cyber, and crypto are fundamentally reshaping the risk landscape. Risk functions need leaders with deep fluency in these domains—and the foresight to anticipate how they will evolve. As AI adoption accelerates, for example, leaders are expected to not only grasp the technical dimensions but also connect them to business strategy.

• • Influence and executive presence: Leaders need to distill complex, technical, and ambiguous issues into clear, actionable recommendations so that they can credibly influence the business agenda. As Marlene Debel, MetLife's CRO and head of MetLife Insurance Investments, told us, 'At some point in your career, your technical skills become table stakes... what gets you the next role is your ability to also lead, manage, influence, and negotiate.' To do this well, risk leaders are expected to have the executive presence to engage with top leadership. As Trevor Adams, former CRO of Nedbank, said, 'EQ [emotional quotient] is more important than IQ. Being technically smart is no longer enough. And being correct is not sufficient; it is how you convey the message.'

  • Orthogonal thinking: The most effective leaders are able to assess today's risks and opportunities, while also anticipating what may lie ahead—using orthogonal thinking to surface emerging threats and unconventional opportunities before they become visible to others. Orthogonal thinkers look around corners, challenge assumptions, and connect dots others might miss. They combine curiosity with constructive dissent, pushing teams to test conventional wisdom and explore second-order effects. As Maria Morris, chair of the Board Risk Committee at Wells Fargo, said, 'The best risk talent are those who ask what if and why questions.' In doing so, they help organizations not only manage risk but redefine the boundaries of opportunity.

  • Adaptability and resilience: In an environment where priorities can shift overnight, the most effective leaders have developed battle scars by stepping into ambiguity, driving transformation, and taking on challenges without guaranteed playbooks. They rally teams through disruption, abandon approaches that no longer serve, and model the grit and steadiness that inspire confidence."

More from the report:

"With a clearly defined profile of modern risk leadership, CROs can focus on spotting the individuals who embody these traits.

• Successful risk leaders treat talent identification as a core leadership responsibility, which requires looking beyond the usual suspects and proactively identifying high-potential leaders before they disengage or move elsewhere. Leading CROs are now deliberately broadening sourcing channels beyond the traditional confines of the risk function to include adjacent areas such as data science, operations, finance, and technology. As we've explored in past research, the strongest candidates moving into risk and compliance for the first time often bring a set of transversal skills (for example, information processing and inductive reasoning) from their prior experience.

• 'We would not be able to accomplish what we need with monotone experiences and skill sets,' explained Ben Rosenthal, CRO of New York Life. 'We need attorneys, auditors, actuaries, technologists, PhD mathematicians, physicists... you name the background.'"

What this means for security teams

For cybersecurity professionals, the McKinsey report is a call to action. Security teams must stop viewing themselves as a support function and start acting as a leadership factory.

The next generation of cybersecurity leaders will not just be the ones who can write the best code or configure the tightest firewall. They will be the ones who can walk into a boardroom, speak the language of the CRO, and explain how a specific technical risk impacts the organization's bottom line.

By adopting the CRO's focus on strategic enablement and decisive action, the security function can future-proof the organization while redefining its role in the enterprise.