A growing number of organizations are adding a new member to the C-suite—the chief risk officer (CRO)—and the rise of these executives is having a direct impact on the security programs at enterprises.
“Corporate espionage, terrorism and cyber attacks are ratcheting up the need for senior executives who understand all aspects of risk management and security,” says Jeremy King, president of Benchmark Executive Search, a provider of technology executive search services.
“Many companies are finally awakening to how destructive security breaches of all types can be—from physical damage and real costs to reputation loss and customer recovery,” King says. “Previously siloed risk-management functions must be reinvented, strengthened, and funded more aggressively. Industry must re-evaluate its approach to risk management, and success will require unprecedented cooperation from board directors and those in the C-suite.”
[ ALSO ON CSO: Trust in the new world: The evolving role of the Chief Risk Officer ]
The rise of the CRO is a trend that has yet to take off, King says. “While some forward-looking, large financial players have hired a CRO to oversee all risk, most companies have yet to follow their lead,” he says. “Based on what I have gleaned from clients, advisers, and our network of security talent, public companies will increasingly empower a single leader or group to take charge of their integrated risk and security strategies.”
CROs will see a greater role at public companies and be regarded as peers to the COO, King says, with the COO having responsibility for profit and loss and the CRO being responsible for “prevention of loss.”
As s rule, CROs have been gaining power and influence within their organizations. “But with most new corporate initiatives, they do not bubble up but work top down,” King says. “Therefore, boards must demand this be a major initiative.”
The role of CRO is constantly changing and evolving in order to fit the needs of the business and how it makes risk-based decisions, says Merri Beth Lavagnino, CRO at Indiana University. “A static enterprise risk management role would not be an effective one, because the world we live in is constantly changing,” she says.
That’s also true at DocuSign, a provider of electronic signature applications. “My team has evolved to ensure we are best equipped to manage and mitigate all aspects of risk in our business,” says Tom Pageler, a former special agent with the U.S. Secret Service who is now CRO at DocuSign.
“We look at all risks holistically to include physical security, operational risk, audit, compliance, and risk/security awareness and communications in addition to information security,” says Pageler, who reports to the general counsel and board of directors. “My scope includes [merger and acquisition] risk, country risk, business risk and other areas outside of traditional ‘security’. As such, we run a robust Risk/Security Council where our risk registry is discussed and tracked by a team of experts and business leaders.”
A confluence of factors is driving the emergence of the CRO role, as well heightening the influence of existing CROs, says Nicholas Hayes, an analyst at Forrester Research.
“Factors like greater market volatility, heightened social unrest, growing reliance on proliferating third parties, and digital disruption are just some of the external factors that make it more critical for organizations to understand and successfully navigate their risk environment—and they need someone with risk acumen and experience to do this,” Hayes says.
What is still a work in progress at many organizations is how the CRO fits into the corporate security management structure.
“It is no small task for any organization to achieve consensus about what must be done, what organizational assets must be integrated into their broader risk-management mission and even a standard organizational structure to determine how the CRO, CIO, CSO and CISO fit together,” King says.
“Since the reporting structure of CSOs/CISOs range from the CIO, general counsel, chief compliance officer to the CEO, it is no wonder there is confusion,” King says. “A new framework needs to be created which could lead to major reporting changes.”
At Black Knight Financial Services, a provider of data and analytics technology for financial services firms, the CISO and director of physical security report to CRO Peter Hill, who reports directly to the CEO as well as a risk committee of Black Knight’s board of directors.
Jeremy King, president of Benchmark Executive Search
“Information security comprises a significant portion of the risk landscape of the company, and it is critical to have this function closely aligned to the overall strategic risk direction of the company,” Hill says. “This reporting relationship continues to provide substantial benefits in the effective management of risk and security, and ensures investment in information security is commensurate with the organization’s strategic direction and risk profile.”
Enterprise risk management “is generally operating at a higher level of concern [than corporate security], looking at the big things that could keep the organization from achieving its mission,” adds Lavagnino. “We’re talking really big here—the things that would take you down as a company.”
While some of the CISO/CSOs risks may rise to the enterprise level, the CRO will most likely work directly with the CIO or vice president for IT as a member of the enterprise risk management committee most of the time, and only with the CISO/CSO when more detailed information about the risk and its mitigations is needed, Lavagnino says.
“It can be hard for CISO/CSOs to accept that there are many other, more troublesome institutional risks that rank higher in likelihood and severity than their information security risks,” Lavagnino says. “I also have found that the security professional is often way ahead of the game, compared to some other parts of the organization, and thus, information security risks are well mitigated.”
In other words, security executives might be doing such a good job mitigating the security risks down to an acceptable level, “that they end up lower on the list of enterprise risk priorities,” Lavagnino says. “That is not to say the security risks are not important; they could very well have some of the highest inherent risk ratings.”
At DocuSign, all security leadership and functions report to Pageler. “However, we also have security champions embedded throughout the enterprise who have dotted line reporting into the risk team, he says. “This ensures that our line-of-business leaders and teams integrate security into their various processes, as any company’s risk and security operations are only as strong and secure as its employees. Ensuring everyone is part of security helps to achieve this goal.”
Helping to create a culture of security will likely be a key responsibility of CROs.
“Risk management starts at the top of these companies, and the key will be vigorous attention and collaboration between boards of directors to set stricter policies and the C-suite to communicate and implement them,” King says. “This will not happen without strong executive leadership, and greater resources to manage network vulnerabilities with urgency and continual innovation.”
Along with having security champions embedded throughout the organization, DocuSign prioritizes making security part of the culture through its DocuSign Emergency Response Team (DERT).
“The individuals who volunteer for DERT are trained to respond during a crisis,” Pageler says. “They are trained in CPR, fire safety, and other preparedness techniques and are given awards for good security-minded acts, such as finding an open door or flagging a potential spam email.” DERT members also participate in industry webinars, training and seminars to uncover and share best practices across the team.
Creating a culture of risk and security awareness for all employees in the company “is the single most important responsibility of the [enterprise risk management] and security department,” Hill says. “Over the past two years we’ve made many enhancements to our risk and security awareness and training program in an effort to embed a vigilant security and risk awareness culture.”