Peter Sondergaard, Senior Vice President, Global Head of Research, Gartner, gives his take on the need for organisations to employ more Digital Risk Officers.
The start of any year always brings about the dreaded ‘all-day meetings.’ This is when CEOs and their teams hunker down with leaders throughout the business in daylong meetings to kick-off plans, programs and initiatives. If you’re anything like me then you know you’ve been in too many of these meetings when you catch yourself using terms like “I think we need a bio-break.” Sigh.
I have been working with a lot of client CEOs and their teams over the past few weeks, and one topic keeps coming up over and over again — information security. The sensational headlines from last year about systems breaches, compromised customer data and brand attacks have struck a chord for leaders who see this as a very real and present danger for their organisations.
What’s to be done?
The same headlines that have clearly spooked CEOs into putting information security on their priority list have also polarised them into a perilously narrow way of thinking about what actually constitutes information security risk. Too often they see the solution as merely improving the tools and platforms managed by their CIO and IT organisations.
But this is not sufficient. Information security is no longer just a technical problem handled by technical people. It requires systemic behaviour change in business process and by all employees. And as more enterprises become digital businesses, they will require a digital risk and security program.
In speaking with our Chief of Research for Security and Risk, Paul Proctor, it is clear that CEOs must own the responsibility of redefining what security and risk means for their organisations as they become digital businesses. To address these challenges head on, our research strongly recommends that CEOs consider the role the digital risk officer (DRO), which is a new role or an expanded set of responsibilities for the chief information security officer (CISO).
As organisations, marketplaces, customers and every other factor impacting our strategy constantly change, new opportunities and risks inevitably present themselves to CEOs and senior leaders. New roles with defined responsibilities are often created to focus the necessary time, resources and expertise on these issues so that, putting it simply, something gets done about it. These roles are sometimes transient, or a way of defining a specific additional focus for an existing senior leader. Either way, the title of Digital Risk Officer acts as a rallying flag within the organisation for all these initiatives to coalesce in one place. And rather than own a specific new initiative, which inevitably causes friction within the C-suite, the most successful executives instead focus on coordinating the multitude of activities and direct efforts in one coherent direction.
It’s all about focus
CEOs need to task the DRO to investigate the risk implications of digital innovation and the level of risk that is acceptable across the organisation in a world of increasing digitalisation of both physical and virtual assets and processes. The assessment of risk needs to span the digital business from one end to the other, not in isolated pockets such as products, business units or traditional channels. It must be across the entire process to be successful.
To be successful, the DRO needs a deep level of understanding of the Internet of things (IoT), operational technology (OT), physical security, information security, privacy, business continuity management and risk. The DRO needs to understand the entire digital platform of the organisation. In many organisations the CISO may assume these expanded responsibilities, but may not continue to report to the CIO.
Digital risk and security is only one of several capabilities that CEOs need to re-evaluate, assume accountability for and then assign specific responsibility for to a leader within their organisation. Digital business requires an added set of capabilities as a CEO. Gartner believes the rapid digital change around us leaves every CEO with only 24 months to develop a digital strategy, reassign and/or expand corporate responsibilities and start executing change.
A recent article in the Wall Street Journal noted that experienced CISOs with these skills are now commanding $1M+ packages. It’s clear that the size of the challenge does not match the number of professionals who are qualified to help, which creates a high price for this scarce competence.
So there’s no time to lose. Is this on your all-day meeting agenda?