CISO Trainings , Governance & Risk Management , Training & Security Leadership
Gartner: Digital Risk Officers on Rise
Teaming with CISOs to Address New RisksLarge enterprises are engaging new digital business models as part of their growth strategy. Such innovation gives rise to the increase of the new "digital risk officer," says Sid Deshpande, principal analyst at Gartner.
See Also: Preparing for New Cybersecurity Reporting Requirements
"While the industry is witnessing the emergence of digital risk officers to address risks due to digital innovations, the role complements the CISO role, and is not its substitute," he says.
As business risks escalate, a new reporting structure will evolve with the rise of chief data officers and digital risk officers, in which IT security will be part of the whole framework, Deshpande says.
In this interview with Information Security Media Group, Deshpande shares his insights on the evolution and explains the risk management process that demands a new portfolio of managers. He throws light on:
- How CISOs are affected by the evolution of DROs;
- New skills required to spot digital risks;
- Complementary roles played by CISOs and DROs.
As principal analyst, Deshpande handles security aspects of Gartner's research. The worldwide lead for cloud storage forecasts, he tracks the cloud IaaS space, mobility and new technologies, both from the APAC and global level, with a focus on the Indian market.
Rise of the DRO
GEETHA NANDIKOTKUR: Can you throw light on new trends like the emergence of digital risk officers and chief data officers, which Gartner has been endorsing?
SID DESHPANDE: Gartner predicts that 25 percent of organizations will have a chief data officer by 2017, and the phenomenon will be majorly observed in regulated industries like banking and insurance. A new role is further emerging, that of digital risk officers. By 2017, one-third of large enterprises engaging in different business models will have a DRO role or its equivalent.
What's the reason behind the trend? To understand this, it's important to understand what digital risk means and why it needs an exclusive role. Digital risk is the management of risk for all forms of technology that create, store, transport, use and/or destroy digital information as part of digital business practices. Besides, digital risk management is the next evolution in enterprise risk and security for digital businesses that are expanding the scope of technologies requiring protection. IT security and security risks are only one aspect of digital risk. A DRO will address risks arising out of using traditional IT environments, cloud, mobile, OT, telephony, audio, video and IoT in fulfilment of digital business initiatives.
The evolution of CDOs is also part of the digital innovation in enterprises, where CDOs need a background in legal and compliance or risk management responsibilities, an understanding of "data as an asset," a solid background in the industry they work in, and knowledge of the tools and techniques of data modelling. Gartner believes poor quality of data costs organizations dearly and that governance issues are also arising due to poor data management, resulting in huge risks. CDOs, DROs and security heads will manage data as part of business operations.
Impact on CISO Role
NANDIKOTKUR: How will the rise of DROs affect the existing IT security/CISOs role?
DESHPANDE: I wouldn't see any adverse impact. However, Gartner believes the traditional concept of IT security is insufficient to adequately define the new role security practices have. Optimization of digital risk outcomes will require organizations to develop, deploy and manage risk assessment and management tools and processes across all forms of technology. CISOs and DROs will play a complementary role in addressing risks.
The impact of this new structure of digital risk governance and management on IT and IT security operations is minimal, particularly in enterprises that have already adopted the DRO role. In the new reporting structure within enterprises, Gartner sees DROs directly reporting to either the CEO, chief operating officer, chief risk officer or chief digital officer. The structure will vary within organizations, depending upon the extent of digitization of business.
According to Gartner's observation, adoption of this new structure requires the IT security team to step back from its position as the sole manager of security risk, and for the CISO to form effective partnerships with the DRO and other digital risk teams managing other forms of technology. It is an opportunity of growth for security teams also.
Skill Sets Required
NANDIKOTKUR: What are the skillsets required by DROs, and how can they complement CISOs skills?
DESHPANDE: DROs will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for addressing digital business risk. It's possible that many traditional security officers will change their titles to digital risk and security officers, but without material change in their scope, mandate and skills, they will not fulfill this role in its entirety. Gartner says that DROs will need good communication skills sufficient to address senior business leaders. They need to have skills to gauge risks related to IoT, operational technologies, social media, supply chain, M2M technologies and big data and so on. They need to understand the language to deal with privacy, legal and business continuity management.
DRO Responsibilities
NANDIKOTKUR: What would be the key responsibilities of the DRO?
DESHPANDE: Gartner recommends that DRO role holders must investigate the risk implications of digital innovation, particularly how it changes the risk appetite of key business leaders. DROs should develop risk assessment capabilities that span digital business models end to end.
DROs will influence governance, oversight and decision making related to digital business. This role will explicitly work with non-IT executives in various capacities to better understand digital business risk and facilitate a balance between the need to protect the organization and the need to run the business.