Light Dark
October 29, 2018 By Paula Musich 4 min read
Data Protection
CISO
Risk Management

As IT security evolves as a corporate priority, so do the roles and responsibilities of the executive team. Three C-level executives in particular — chief information security officers (CISOs), chief data officers (CDOs) and chief risk officers (CROs) — are challenged to take a more hands-on approach to effectively address security concerns for their board. The tasks of protecting business-critical data and ensuring compliance with regulatory mandates have taken on greater urgency as board-level concerns elevate the focus on enterprise data risk management.

Individuals in each of these roles have a responsibility to ensure that mission-critical data is managed in a way that reduces the likelihood of it falling into the wrong hands. Each role, however, brings a different perspective and mission to the task.

Join the webinar

The Chief Information Security Officer: A Seasoned Enforcer

Out of the myriad responsibilities of the CISO, his or her top objective is to mitigate data risk through a well-designed, in-depth defense strategy that orchestrates an effective combination of people, processes and technology. The CISO’s organization — long scorned as “the department of no” — has a responsibility to ensure the integrity and safety of mission-critical data, which often puts it at odds with other parts of the IT organization.

In addition, the CISO is also challenged to ensure that his or her organization complies with regulatory, legal and other relevant industry mandates to ensure the privacy and safe handling of customer or patient data. Along with that comes the need to provide auditors with visibility via appropriate reporting into the compliance posture of data privacy controls.

Despite the maturity of regulatory mandates such as the Payment Card Industry Data Security Standard (PCI DSS), many CISOs still struggle to satisfy these requirements. According to Verizon’s “2018 Payment Security Report,” the percentage of organizations that met PCI DSS requirements dropped from 55.4 precent in 2016 to 52.5 percent in 2017.

The Chief Data Officer: A Business-Minded Marshal

Let’s contrast a CISO’s goals with those of a CDO, whose primary aim is to find and extract value and business insights from enterprise data. As this role has evolved over the past several years, additional objectives have arisen in support of those goals to optimize data use and enable new business models that can create additional revenue streams and/or reduce costs. CDOs typically have five primary jobs:

  1. Develop new methods to leverage existing enterprise data.
  2. Supplement existing enterprise data with external data sources.
  3. Develop new revenue streams based on proprietary data.
  4. Maintain the integrity of the data being managed.
  5. Ensure the privacy and security of that data.

Collaboration is key, especially for organizations in the banking, insurance, pharmaceutical and telecommunications sectors. Those organizations face more critical challenges around privacy, compliance, discovery and governance. Whether it’s to avoid regulatory fines for not producing the necessary reporting or to fend off legal challenges by producing required data discovery, the CDO shares responsibility for managing risks associated with data.

The Chief Risk Officer: A New Sheriff in Town

While the CRO has not historically been involved in managing data risk, the digital transformation of the enterprise, the rise of cloud computing and the Internet of Things (IoT) have recently pushed the CRO into the new frontier of data risk management.

Traditionally, the CRO has been responsible for acting as the custodian of the enterprise’s risk appetite, providing independent risk advice to the board and C-suite, maintaining a culture of risk, and reducing revenue volatility (and stock valuation for publicly held companies). However, the growing risks of financial losses due to successful ransomware attacks, fines levied from compliance violations, legal fees and the business disruption caused by large-scale attacks have made data one of the biggest risks to a business.

In its annual risk barometer for 2018, Allianz ranked cyber incidents as the No. 1 issue for the U.S. and No. 2 issue globally, a significant increase from being the fifteenth highest risk in its 2013 report. This has led to new responsibilities for the CRO, including bringing critical assets, such as intellectual property (IP), financial data, personally identifiable information (PII) and health records, into the enterprise risk management framework while enabling digital transformation of the enterprise. Such a framework of controls, policies and processes with key risk indicators can help establish the appropriate threshold that the organization is willing to take.

To be successful in that effort, the CRO must band together with other peers in the C-suite to discover and classify data assets according to their criticality and risk, strengthen security policies, and ensure that the correct controls are in place. As shown in the Verizon report, not having security controls in place that reflect fundamental security principles can lead not only to fines, but also greatly increase the chances of a significant data breach.

Circle the Wagons for Comprehensive Data Risk Management

As cyber incidents rise to the top of the list of concerns for enterprise leaders, the need for a consolidated data risk management program has never been more urgent. The CISO, CDO and CRO all have a common set of requirements in this consolidated approach, including visibility, controls (policies and procedures), prioritization of data assets, alignment to business decision-making, and collaboration and communication.

The insights, skills and leadership each of these C-level executives brings to the task are crucial to putting mission-critical data — an organization’s crown jewels — at the center of the effort. Ensuring the confidentiality, integrity and availability of that data, no matter where it lives and moves or who touches it, is job one. By working together, all three executives can more effectively communicate the business implications of the cyber risks they uncover to the board of directors. When the board understands the business risks and benefits, it is more likely to fund the security initiatives required to improve data risk management.

Lastly, as these leaders embark on their journey to create a formal data risk management program, it can be tremendously valuable to have a common set of dashboards that can graphically represent real risk exposures based on data gathered from a range of security metrics. Having easily digestible dashboards also allows executives to quickly discover, analyze and view data-related business risks and take immediate action to protect the enterprise.

This business-centric approach can reduce the time it takes to investigate and remediate threats, and can help avoid or minimize damages and costs. Like a scout looking for danger out ahead of a wagon train, data risk management can give leaders enough advanced warning to circle the wagons before cyber bandits make off with valuable data.

Join the webinar

 |  |  |  |  |  |  |  | 
Paula Musich
Research Director

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature