We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Chief Operating Officer: Cyber Risk Now Key for CEO’s Top Lieutenant

Posted by Matt McCabe 05 November 2015

Among the roles in the C-suite, perhaps none has more variability in its function from company to company than the chief operating officer (COO). Generally regarded as the CEO’s right hand, the responsibilities typically range from overseeing the daily execution of business strategy to driving a specific strategic initiative. But no matter the setup, today’s COOs would do well to position themselves among the key cybersecurity stakeholders.

Consider a COO charged with gaining efficiencies through technology upgrades, process management, and automation. Overseeing data related to intellectual capital, vendors, employees, and other critical business functions is part of the job. And that means managing cyber risks.

Not doing so could lead to the disclosure of confidential data, suspension of critical activities, questions about the company’s integrity, failure to reach company goals and objectives, and ultimately lost shareholder value.


COOs must factor cybersecurity into their daily mission. What that means will vary by company, industry, and geography: For a global manufacturer, it may be ensuring work can continue should an attack knock out a production facility; for a healthcare organisation, it may be securing access to patient data; for a utility, it could be keeping service reliable.

Regardless of the business, fast-moving cyber events can quickly escalate into crises, derail profitability, damage reputations, and more. For a COO, asking the following seven questions can help prepare you for a cyber incident:

  1. Am I aligned with the CEO’s expectations regarding cybersecurity?
  2. Am I effectively partnering with the chief information officer (CIO) to manage cybersecurity?
  3. Am I helping to establish a culture of shared cyber responsibility?
  4. How would a cyber event impact the global scope of operations?
  5. Have we put in place effective cyber training so that all employees understand their roles in cyber risk management?
  6. Have we secured our supply chain through such measures as limiting access to systems and data?


Most companies dedicate the bulk of their cybersecurity budgets to technology aimed at preventing an attack. But all too often, the millions spent on a hardened perimeter are wasted through internal negligence or other weak links, such as a vendor’s loose cybersecurity controls.

COOs can play a strong role in enhancing cyber protection by helping the company see beyond prevention – and look beyond its own firewall. For example, a COO can ensure that outside vendors have strong cybersecurity protocols.

As key stakeholders in cybersecurity, COOs have an obligation to support the organisation’s continuous improvement of its cyber risk management, especially as the threats evolve. Mitigating cyber risk involves security functions, business processes, and stakeholders across the enterprise working together – something a COO is well-positioned to influence.

Matt McCabe