As IT security evolves as a corporate priority, so do the roles and responsibilities of the executive team. Three C-level executives in particular — chief information security officers (CISOs), chief data officers (CDOs) and chief risk officers (CROs) — are challenged to take a more hands-on approach to effectively address security concerns for their board. The tasks of protecting business-critical data and ensuring compliance with regulatory mandates have taken on greater urgency as board-level concerns elevate the focus on enterprise data risk management.
Individuals in each of these roles have a responsibility to ensure that mission-critical data is managed in a way that reduces the likelihood of it falling into the wrong hands. Each role, however, brings a different perspective and mission to the task.
The Chief Information Security Officer: A Seasoned Enforcer
Out of the myriad responsibilities of the CISO, his or her top objective is to mitigate data risk through a well-designed, in-depth defense strategy that orchestrates an effective combination of people, processes and technology. The CISO’s organization — long scorned as “the department of no” — has a responsibility to ensure the integrity and safety of mission-critical data, which often puts it at odds with other parts of the IT organization.
In addition, the CISO is also challenged to ensure that his or her organization complies with regulatory, legal and other relevant industry mandates to ensure the privacy and safe handling of customer or patient data. Along with that comes the need to provide auditors with visibility via appropriate reporting into the compliance posture of data privacy controls.
Despite the maturity of regulatory mandates such as the Payment Card Industry Data Security Standard (PCI DSS), many CISOs still struggle to satisfy these requirements. According to Verizon’s “2018 Payment Security Report,” the percentage of organizations that met PCI DSS requirements dropped from 55.4 precent in 2016 to 52.5 percent in 2017.
The Chief Data Officer: A Business-Minded Marshal
Let’s contrast a CISO’s goals with those of a CDO, whose primary aim is to find and extract value and business insights from enterprise data. As this role has evolved over the past several years, additional objectives have arisen in support of those goals to optimize data use and enable new business models that can create additional revenue streams and/or reduce costs. CDOs typically have five primary jobs:
- Develop new methods to leverage existing enterprise data.
- Supplement existing enterprise data with external data sources.
- Develop new revenue streams based on proprietary data.
- Maintain the integrity of the data being managed.
- Ensure the privacy and security of that data.
Collaboration is key, especially for organizations in the banking, insurance, pharmaceutical and telecommunications sectors. Those organizations face more critical challenges around privacy, compliance, discovery and governance. Whether it’s to avoid regulatory fines for not producing the necessary reporting or to fend off legal challenges by producing required data discovery, the CDO shares responsibility for managing risks associated with data.
The Chief Risk Officer: A New Sheriff in Town
While the CRO has not historically been involved in managing data risk, the digital transformation of the enterprise, the rise of cloud computing and the Internet of Things (IoT) have recently pushed the CRO into the new frontier of data risk management.
Traditionally, the CRO has been responsible for acting as the custodian of the enterprise’s risk appetite, providing independent risk advice to the board and C-suite, maintaining a culture of risk, and reducing revenue volatility (and stock valuation for publicly held companies). However, the growing risks of financial losses due to successful ransomware attacks, fines levied from compliance violations, legal fees and the business disruption caused by large-scale attacks have made data one of the biggest risks to a business.
In its annual risk barometer for 2018, Allianz ranked cyber incidents as the No. 1 issue for the U.S. and No. 2 issue globally, a significant increase from being the fifteenth highest risk in its 2013 report. This has led to new responsibilities for the CRO, including bringing critical assets, such as intellectual property (IP), financial data, personally identifiable information (PII) and health records, into the enterprise risk management framework while enabling digital transformation of the enterprise. Such a framework of controls, policies and processes with key risk indicators can help establish the appropriate threshold that the organization is willing to take.
To be successful in that effort, the CRO must band together with other peers in the C-suite to discover and classify data assets according to their criticality and risk, strengthen security policies, and ensure that the correct controls are in place. As shown in the Verizon report, not having security controls in place that reflect fundamental security principles can lead not only to fines, but also greatly increase the chances of a significant data breach.
Circle the Wagons for Comprehensive Data Risk Management
As cyber incidents rise to the top of the list of concerns for enterprise leaders, the need for a consolidated data risk management program has never been more urgent. The CISO, CDO and CRO all have a common set of requirements in this consolidated approach, including visibility, controls (policies and procedures), prioritization of data assets, alignment to business decision-making, and collaboration and communication.
The insights, skills and leadership each of these C-level executives brings to the task are crucial to putting mission-critical data — an organization’s crown jewels — at the center of the effort. Ensuring the confidentiality, integrity and availability of that data, no matter where it lives and moves or who touches it, is job one. By working together, all three executives can more effectively communicate the business implications of the cyber risks they uncover to the board of directors. When the board understands the business risks and benefits, it is more likely to fund the security initiatives required to improve data risk management.
Lastly, as these leaders embark on their journey to create a formal data risk management program, it can be tremendously valuable to have a common set of dashboards that can graphically represent real risk exposures based on data gathered from a range of security metrics. Having easily digestible dashboards also allows executives to quickly discover, analyze and view data-related business risks and take immediate action to protect the enterprise.
This business-centric approach can reduce the time it takes to investigate and remediate threats, and can help avoid or minimize damages and costs. Like a scout looking for danger out ahead of a wagon train, data risk management can give leaders enough advanced warning to circle the wagons before cyber bandits make off with valuable data.