Rise Of The CRO
Ten years ago, CEOs we worked with wanted a few fairly straightforward things: one person to be responsible for the security staff and technology, a basic action plan, and a reasonable budget with some pretty graphs. Soon, CISOs started springing up like spring crocuses.
Today, business execs at Global 50 companies and SMBs alike want their risk management programs to incorporate information security and technology risk, operational risk, and compliance. They want information security that has a solid value proposition, with quantifiable metrics. They want a cohesive account of what they should be worried about and, just as important, what they shouldn't. They want a single source able to provide a concise assessment of the company's risk profile at any given moment, and a list of investments most likely to mitigate future risk. And particularly when things are going from bad to worse, they don't want various assessments from IT, compliance, and business teams protecting their turf or shirking accountability.
In short, they want one individual to take ownership of all of the above, and our experience shows they're now willing to pay for it.
Enter the chief risk officer.
While just 3% of respondents to our survey say a CRO is the primary owner of the IT risk management program within their companies, we think that within a few years, the role will be commonplace, especially in large enterprises. However, to bring everyone together, the CRO must be able to form an agile organization that can dodge and weave and evolve with the regulatory climate, attacker landscape, budgetary cycles, and industry dynamics. The CRO must have a vision compelling enough to silence the inevitable naysayers and gain cooperation from people with many different priorities.
The ideal candidate will have technical, financial, and operational chops and the authority to institute and enforce standards. If you can't see yourself explaining to the head of e-commerce why (and how) secure coding practices must be implemented for the largest revenue-generating arm of a global retailer, this isn't the job for you.
We worked with a security executive at a major retailer who took the initiative to team with his CRO and aggressively begin the transition to enterprise-wide risk-based management. The company pushed through a reorganization that established risk as a core business function of security. That's key. Now, whenever an IT decision is made, security is a foundational element, not something tacked on later. If you've ever been asked to do a code review on an application that's already been rolled out to half the company, you know that duct-taping security on after the fact is always more expensive and less effective. Because of its risk focus, the company not only doesn't pay that premium, it's able to invest in such big-picture cross-functional efforts as global policy and infrastructure reengineering.
Having an overriding strategy is even more important for organizations that are struggling. In this company, the operations group is working at 120% capacity, but operating systems still must be hardened before they're deployed. How, when the staff is stretched to the limit? Because security leadership is participating throughout the project planning process and having security requirements included in the timeline and scope, the team is getting funding. And as a result of incorporating business risk as the value proposition for security controls, it's able to develop standards for the enterprise to use, and reuse. Meanwhile, these leaders frequently meet with their business counterparts to understand their priorities, so their requirements and concerns are reflected in the security group's strategy and budget. Now, when business problems arise down the road, technologies should be in place to address them.
No surprise, this company is now on a solid path. Resources are still tight, but the security team as a whole has proved it's willing to do what it takes to transition security from a cost center to an asset.
The bar is set high.