Light Dark
August 19, 2014 By Christopher Burgess 2 min read
CISO
Risk Management

Another C has found its way into the lexicon of the C-suite: the chief risk officer (CRO).

Some may be scratching their heads and wondering why CROs are necessary. After all, isn’t risk already part of the domain responsibility of the chief executive officer (CEO), general counsel, chief security officer (CSO), chief information officer (CIO), chief information security officer (CISO) and chief operating officer (COO)?

The answer is yes; every member of the C-suite is responsible for their domain and for ensuring the remainder of the enterprise or company benefits from their decisions and counsel for collective risk management. Bringing the CRO — or the digital risk officer, as the role is sometimes referred to in the technology world — to the forefront allows risk management to be consolidated and uniform throughout the enterprise.

The Rise of the CRO

Gartner projects that one-third of large enterprises will have a digital risk officer by 2017 and that the role will broadly emerge in 2015. The role will require skills in business knowledge, communication, risk management, privacy and technology. This sounds eerily similar to what has been advocated for the CISO who wishes to secure his or her seat at the corporate strategy table. Make no mistake: The CISO who exhibits dexterity in identifying and mitigating cyber risks will continue to be a key piece of the CISO-CRO dance.

The CRO who has visibility across the enterprise or company — specifically into the domains of the general counsel, CEO, CIO, COO, etc. — ensures that risks are addressed in the broadest possible manner, with the business outcomes at the forefront. This allows the CISO’s team to address the local execution against the constant onslaught of the technological probes and attacks hitting the company’s infrastructure perimeter and evolving from within.

The role also allows for the natural evolution of a business-driven solution of information technology (IT) policies and procedures. Business ownership enforcement ensures the IT security department is not the “No Police” but rather a key part of the solution. This way, policy creation is a risk management solution, and no IT policy will stunt the company’s business processes. Should a risk be identified as both open and with no immediate migration solution, the CRO with a broader perspective can advise as to the course of action to be taken.

CISO at the Corporate Strategy Table

The CISO’s place at the corporate strategy table is not a risk. The CISO will be at the right hand, if not attached to the hip, of the CRO.

The CISO’s cyber incident response team (CIRT) will be a critical component as well. The CIRT will be able to move beyond the infamous “whack-a-mole” technique and engage in both incident response and education.

With education and overall boosted awareness, the individual user and his or her principals — those in the various roles within the C-suite) — will recognize the evolution from “No, don’t do that,” to, “This is how we should do that, and for these reasons.”

Download the IBM Report: Cybersecurity perspectives from the boardroom and C-suite

 |  |  |  |  |  |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature