CISOs exploring career advancement opportunities have a new consideration, according to Gartner VP and Distinguished Analyst Paul Proctor. At a Gartner Security & Risk Management Summit presentation in June, Proctor talked about the evolution of a new enterprise role, which is a logical next step for some CISOs: Digital Risk Officer (DRO).
While few organizations have formally created the role, Gartner predicts that by 2020, 30 percent of large enterprises will have a DRO in place. Why? Because the increasing integration of digital technologies into business operations and products—the Internet of Things (IoT)—requires someone who can assess technology risk throughout the digital enterprise and provide executives with decisions that impact business processes. An example is assessing the physical system that gathers personally identifiable information from wearable technology. The DRO would look at how the data is used in marketing and sales operations, identify privacy issues, and look at the legality of monetizing the data as a source of revenue.
Proctor reports while CISOs may not have the title, many have gradually taken on some of the tasks associated with a DRO, such as:
- Reviewing contract clauses for technology risk and security requirements
- Developing policies to address the growing use of technology not controlled by IT
- Addressing the privacy and security of data gathered by IoT devices
- Providing security expertise to Mode 2 projects
- Dotted-line reporting to operational risk groups
For CISOs interested in making the transition, here are the skills needed, according to several experts:
- Fully comprehend how the business is run, recognize desired strategic outcomes and speak the language of executives in order to fully articulate digital risk factors in operational and financial terms.
- Understand IT, IoT and operational technology (OT), and the overlap of technology and the physical world.
- Have the ability to work in a bimodal organization, supporting Mode 2 projects.
- Understand global privacy and e-commerce regulations.
- Have a people-centric style to work across the organization in collaboration with businesses, legal, compliance, operations, and digital marketing and sales.
Essentially, the DRO’s role is to bridge the cultural divide between business and technology, says Nick Sanna, president of the Digital Risk Management (DRM) Institute. To do that requires building the organizational processes and best practices necessary to measure and manage digital business risk—including mapping important business processes, assessing exposure to threats and prioritizing risk mitigation initiatives. Sanna admits that building a DRM program will be a complex challenge for DROs, but also a great personal stretch opportunity.