Light Dark
October 29, 2018 By Paula Musich 4 min read
Data Protection
CISO
Risk Management

As IT security evolves as a corporate priority, so do the roles and responsibilities of the executive team. Three C-level executives in particular — chief information security officers (CISOs), chief data officers (CDOs) and chief risk officers (CROs) — are challenged to take a more hands-on approach to effectively address security concerns for their board. The tasks of protecting business-critical data and ensuring compliance with regulatory mandates have taken on greater urgency as board-level concerns elevate the focus on enterprise data risk management.

Individuals in each of these roles have a responsibility to ensure that mission-critical data is managed in a way that reduces the likelihood of it falling into the wrong hands. Each role, however, brings a different perspective and mission to the task.

Join the webinar

The Chief Information Security Officer: A Seasoned Enforcer

Out of the myriad responsibilities of the CISO, his or her top objective is to mitigate data risk through a well-designed, in-depth defense strategy that orchestrates an effective combination of people, processes and technology. The CISO’s organization — long scorned as “the department of no” — has a responsibility to ensure the integrity and safety of mission-critical data, which often puts it at odds with other parts of the IT organization.

In addition, the CISO is also challenged to ensure that his or her organization complies with regulatory, legal and other relevant industry mandates to ensure the privacy and safe handling of customer or patient data. Along with that comes the need to provide auditors with visibility via appropriate reporting into the compliance posture of data privacy controls.

Despite the maturity of regulatory mandates such as the Payment Card Industry Data Security Standard (PCI DSS), many CISOs still struggle to satisfy these requirements. According to Verizon’s “2018 Payment Security Report,” the percentage of organizations that met PCI DSS requirements dropped from 55.4 precent in 2016 to 52.5 percent in 2017.

The Chief Data Officer: A Business-Minded Marshal

Let’s contrast a CISO’s goals with those of a CDO, whose primary aim is to find and extract value and business insights from enterprise data. As this role has evolved over the past several years, additional objectives have arisen in support of those goals to optimize data use and enable new business models that can create additional revenue streams and/or reduce costs. CDOs typically have five primary jobs:

  1. Develop new methods to leverage existing enterprise data.
  2. Supplement existing enterprise data with external data sources.
  3. Develop new revenue streams based on proprietary data.
  4. Maintain the integrity of the data being managed.
  5. Ensure the privacy and security of that data.

Collaboration is key, especially for organizations in the banking, insurance, pharmaceutical and telecommunications sectors. Those organizations face more critical challenges around privacy, compliance, discovery and governance. Whether it’s to avoid regulatory fines for not producing the necessary reporting or to fend off legal challenges by producing required data discovery, the CDO shares responsibility for managing risks associated with data.

The Chief Risk Officer: A New Sheriff in Town

While the CRO has not historically been involved in managing data risk, the digital transformation of the enterprise, the rise of cloud computing and the Internet of Things (IoT) have recently pushed the CRO into the new frontier of data risk management.

Traditionally, the CRO has been responsible for acting as the custodian of the enterprise’s risk appetite, providing independent risk advice to the board and C-suite, maintaining a culture of risk, and reducing revenue volatility (and stock valuation for publicly held companies). However, the growing risks of financial losses due to successful ransomware attacks, fines levied from compliance violations, legal fees and the business disruption caused by large-scale attacks have made data one of the biggest risks to a business.

In its annual risk barometer for 2018, Allianz ranked cyber incidents as the No. 1 issue for the U.S. and No. 2 issue globally, a significant increase from being the fifteenth highest risk in its 2013 report. This has led to new responsibilities for the CRO, including bringing critical assets, such as intellectual property (IP), financial data, personally identifiable information (PII) and health records, into the enterprise risk management framework while enabling digital transformation of the enterprise. Such a framework of controls, policies and processes with key risk indicators can help establish the appropriate threshold that the organization is willing to take.

To be successful in that effort, the CRO must band together with other peers in the C-suite to discover and classify data assets according to their criticality and risk, strengthen security policies, and ensure that the correct controls are in place. As shown in the Verizon report, not having security controls in place that reflect fundamental security principles can lead not only to fines, but also greatly increase the chances of a significant data breach.

Circle the Wagons for Comprehensive Data Risk Management

As cyber incidents rise to the top of the list of concerns for enterprise leaders, the need for a consolidated data risk management program has never been more urgent. The CISO, CDO and CRO all have a common set of requirements in this consolidated approach, including visibility, controls (policies and procedures), prioritization of data assets, alignment to business decision-making, and collaboration and communication.

The insights, skills and leadership each of these C-level executives brings to the task are crucial to putting mission-critical data — an organization’s crown jewels — at the center of the effort. Ensuring the confidentiality, integrity and availability of that data, no matter where it lives and moves or who touches it, is job one. By working together, all three executives can more effectively communicate the business implications of the cyber risks they uncover to the board of directors. When the board understands the business risks and benefits, it is more likely to fund the security initiatives required to improve data risk management.

Lastly, as these leaders embark on their journey to create a formal data risk management program, it can be tremendously valuable to have a common set of dashboards that can graphically represent real risk exposures based on data gathered from a range of security metrics. Having easily digestible dashboards also allows executives to quickly discover, analyze and view data-related business risks and take immediate action to protect the enterprise.

This business-centric approach can reduce the time it takes to investigate and remediate threats, and can help avoid or minimize damages and costs. Like a scout looking for danger out ahead of a wagon train, data risk management can give leaders enough advanced warning to circle the wagons before cyber bandits make off with valuable data.

Join the webinar

 |  |  |  |  |  |  |  | 
Paula Musich
Research Director

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature