Another C has found its way into the lexicon of the C-suite: the chief risk officer (CRO).

Some may be scratching their heads and wondering why CROs are necessary. After all, isn’t risk already part of the domain responsibility of the chief executive officer (CEO), general counsel, chief security officer (CSO), chief information officer (CIO), chief information security officer (CISO) and chief operating officer (COO)?

The answer is yes; every member of the C-suite is responsible for their domain and for ensuring the remainder of the enterprise or company benefits from their decisions and counsel for collective risk management. Bringing the CRO — or the digital risk officer, as the role is sometimes referred to in the technology world — to the forefront allows risk management to be consolidated and uniform throughout the enterprise.

The Rise of the CRO

Gartner projects that one-third of large enterprises will have a digital risk officer by 2017 and that the role will broadly emerge in 2015. The role will require skills in business knowledge, communication, risk management, privacy and technology. This sounds eerily similar to what has been advocated for the CISO who wishes to secure his or her seat at the corporate strategy table. Make no mistake: The CISO who exhibits dexterity in identifying and mitigating cyber risks will continue to be a key piece of the CISO-CRO dance.

The CRO who has visibility across the enterprise or company — specifically into the domains of the general counsel, CEO, CIO, COO, etc. — ensures that risks are addressed in the broadest possible manner, with the business outcomes at the forefront. This allows the CISO’s team to address the local execution against the constant onslaught of the technological probes and attacks hitting the company’s infrastructure perimeter and evolving from within.

The role also allows for the natural evolution of a business-driven solution of information technology (IT) policies and procedures. Business ownership enforcement ensures the IT security department is not the “No Police” but rather a key part of the solution. This way, policy creation is a risk management solution, and no IT policy will stunt the company’s business processes. Should a risk be identified as both open and with no immediate migration solution, the CRO with a broader perspective can advise as to the course of action to be taken.

CISO at the Corporate Strategy Table

The CISO’s place at the corporate strategy table is not a risk. The CISO will be at the right hand, if not attached to the hip, of the CRO.

The CISO’s cyber incident response team (CIRT) will be a critical component as well. The CIRT will be able to move beyond the infamous “whack-a-mole” technique and engage in both incident response and education.

With education and overall boosted awareness, the individual user and his or her principals — those in the various roles within the C-suite) — will recognize the evolution from “No, don’t do that,” to, “This is how we should do that, and for these reasons.”

Download the IBM Report: Cybersecurity perspectives from the boardroom and C-suite

More from CISO

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…