Chief Risk Officers needed to battle rising corporate espionage

A growing number of organizations are adding a new member to the C-suite—the chief risk officer (CRO)—and the rise of these executives is having a direct impact on the security programs at enterprises.

A growing number of organizations are adding a new member to the C-suite—the chief risk officer (CRO)—and the rise of these executives is having a direct impact on the security programs at enterprises.

“Corporate espionage, terrorism and cyber attacks are ratcheting up the need for senior executives who understand all aspects of risk management and security,” says Jeremy King, president of Benchmark Executive Search, a provider of technology executive search services.

“Many companies are finally awakening to how destructive security breaches of all types can be—from physical damage and real costs to reputation loss and customer recovery,” King says. “Previously siloed risk-management functions must be reinvented, strengthened, and funded more aggressively. Industry must re-evaluate its approach to risk management, and success will require unprecedented cooperation from board directors and those in the C-suite.”

[ ALSO ON CSO: Trust in the new world: The evolving role of the Chief Risk Officer ]

The rise of the CRO is a trend that has yet to take off, King says. “While some forward-looking, large financial players have hired a CRO to oversee all risk, most companies have yet to follow their lead,” he says. “Based on what I have gleaned from clients, advisers, and our network of security talent, public companies will increasingly empower a single leader or group to take charge of their integrated risk and security strategies.”

CROs will see a greater role at public companies and be regarded as peers to the COO, King says, with the COO having responsibility for profit and loss and the CRO being responsible for “prevention of loss.”

As s rule, CROs have been gaining power and influence within their organizations. “But with most new corporate initiatives, they do not bubble up but work top down,” King says. “Therefore, boards must demand this be a major initiative.”

The role of CRO is constantly changing and evolving in order to fit the needs of the business and how it makes risk-based decisions, says Merri Beth Lavagnino, CRO at Indiana University. “A static enterprise risk management role would not be an effective one, because the world we live in is constantly changing,” she says.

That’s also true at DocuSign, a provider of electronic signature applications. “My team has evolved to ensure we are best equipped to manage and mitigate all aspects of risk in our business,” says Tom Pageler, a former special agent with the U.S. Secret Service who is now CRO at DocuSign.

“We look at all risks holistically to include physical security, operational risk, audit, compliance, and risk/security awareness and communications in addition to information security,” says Pageler, who reports to the general counsel and board of directors. “My scope includes [merger and acquisition] risk, country risk, business risk and other areas outside of traditional ‘security’. As such, we run a robust Risk/Security Council where our risk registry is discussed and tracked by a team of experts and business leaders.”

A confluence of factors is driving the emergence of the CRO role, as well heightening the influence of existing CROs, says Nicholas Hayes, an analyst at Forrester Research.

“Factors like greater market volatility, heightened social unrest, growing reliance on proliferating third parties, and digital disruption are just some of the external factors that make it more critical for organizations to understand and successfully navigate their risk environment—and they need someone with risk acumen and experience to do this,” Hayes says.

What is still a work in progress at many organizations is how the CRO fits into the corporate security management structure.

“It is no small task for any organization to achieve consensus about what must be done, what organizational assets must be integrated into their broader risk-management mission and even a standard organizational structure to determine how the CRO, CIO, CSO and CISO fit together,” King says.

[ MORE: 5 ways to create a collaborative risk management program ]

“Since the reporting structure of CSOs/CISOs range from the CIO, general counsel, chief compliance officer to the CEO, it is no wonder there is confusion,” King says. “A new framework needs to be created which could lead to major reporting changes.”

At Black Knight Financial Services, a provider of data and analytics technology for financial services firms, the CISO and director of physical security report to CRO Peter Hill, who reports directly to the CEO as well as a risk committee of Black Knight’s board of directors.

Jeremy King, president of Benchmark Executive Search

Information security comprises a significant portion of the risk landscape of the company, and it is critical to have this function closely aligned to the overall strategic risk direction of the company,” Hill says. “This reporting relationship continues to provide substantial benefits in the effective management of risk and security, and ensures investment in information security is commensurate with the organization’s strategic direction and risk profile.”

Enterprise risk management “is generally operating at a higher level of concern [than corporate security], looking at the big things that could keep the organization from achieving its mission,” adds Lavagnino. “We’re talking really big here—the things that would take you down as a company.”

While some of the CISO/CSOs risks may rise to the enterprise level, the CRO will most likely work directly with the CIO or vice president for IT as a member of the enterprise risk management committee most of the time, and only with the CISO/CSO when more detailed information about the risk and its mitigations is needed, Lavagnino says.

“It can be hard for CISO/CSOs to accept that there are many other, more troublesome institutional risks that rank higher in likelihood and severity than their information security risks,” Lavagnino says. “I also have found that the security professional is often way ahead of the game, compared to some other parts of the organization, and thus, information security risks are well mitigated.”

In other words, security executives might be doing such a good job mitigating the security risks down to an acceptable level, “that they end up lower on the list of enterprise risk priorities,” Lavagnino says. “That is not to say the security risks are not important; they could very well have some of the highest inherent risk ratings.”

At DocuSign, all security leadership and functions report to Pageler. “However, we also have security champions embedded throughout the enterprise who have dotted line reporting into the risk team, he says. “This ensures that our line-of-business leaders and teams integrate security into their various processes, as any company’s risk and security operations are only as strong and secure as its employees. Ensuring everyone is part of security helps to achieve this goal.”

Helping to create a culture of security will likely be a key responsibility of CROs.

“Risk management starts at the top of these companies, and the key will be vigorous attention and collaboration between boards of directors to set stricter policies and the C-suite to communicate and implement them,” King says. “This will not happen without strong executive leadership, and greater resources to manage network vulnerabilities with urgency and continual innovation.”

Along with having security champions embedded throughout the organization, DocuSign prioritizes making security part of the culture through its DocuSign Emergency Response Team (DERT).

“The individuals who volunteer for DERT are trained to respond during a crisis,” Pageler says. “They are trained in CPR, fire safety, and other preparedness techniques and are given awards for good security-minded acts, such as finding an open door or flagging a potential spam email.” DERT members also participate in industry webinars, training and seminars to uncover and share best practices across the team.

Creating a culture of risk and security awareness for all employees in the company “is the single most important responsibility of the [enterprise risk management] and security department,” Hill says. “Over the past two years we’ve made many enhancements to our risk and security awareness and training program in an effort to embed a vigilant security and risk awareness culture.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSODocuSignForrester ResearchHayes

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts