Technological advancements have effectively transformed and continue to disrupt industries of all kinds. At the same time, organizations’ cybersecurity challenges are also increasing exponentially. As a result, the Chief Risk Officer (CRO) role is also expanding dramatically. After all, if an organization lets its guard down, the breakneck pace of technological change could represent a tremendous risk as much as it could, under other circumstances, yield great potential reward. Functioning as a key member of the C-suite in any organization, today’s truly effective CRO must be central in establishing, leading and monitoring his or her organization’s cybersecurity risk management program.
To help clarify this challenge, here are five key recommendations for today’s CRO to consider:
Cybersecurity and digital risk are expanding exponentially within companies’ risk portfolios. Confronting and assessing this ever-increasing threat is a crucial aspect of a CRO’s role. These issues cannot be ignored at the board level or below. If not understood and addressed, a company’s competitive position, reputation and valuation can be put at stake.
Financial services organizations have led the way, reaching maturity in the CRO space before others. The Federal Financial Institutions Examination Council (FFIEC) has pointed out that these companies already conducted sophisticated risk appetite analysis based on amount of credit issuance versus capital retained, and noted that similar standards should be used to judge cybersecurity risk. Banks took notice in order to meet examiners’ expectations according to the new guidelines. In the same way these companies gauge credit risk exposure in a holistic manner, they now need to be able to aggregate and analyze cyber risk.
By studying the threat and understanding the potential entry points or weaknesses in the company’s defenses, a CRO can craft a multidisciplinary approach that incorporates the company as a whole along with its individual parts. A “threat matrix” specific to the business can be created and disseminated internally by the CRO to communicate best practices and potential trouble areas.
The CRO must face the reality that the burgeoning cybersecurity threat is constant and dynamic, and assume the responsibility of protecting the business from this new type of risk. He or she must be more than relevant to the cybersecurity conversation within the company.
This is equally an opportunity and a challenge for the CRO, as they must unify robust cyber defenses across systems and processes for all corporate divisions. The effective CRO cultivates cross-departmental relationships from marketing to legal, from sales to production, from IT to HR, and so forth, then leverages those interactions to build strong and uniform cybersecurity companywide and demonstrate their capacity as a true leader. And, if a CRO is doing the job right, the weak link that might allow a hacker to gain entry to an otherwise secure system can be avoided through a corporate culture that is committed to cybersecurity and agile enough to combat it.
This is also why the IT department should not be the independent reviewer in this process. Make no mistake that IT has a fundamental role in building and maintaining the company’s core technology and ensuring cyber protection — but they are likely not aware of third-party and “shadow” IT systems running within any given company. As a result, the picture they would paint would likely be rosier than reality. A CRO has a responsibility to lead this process (or be integral to it, if the CISO is leading it).
Cybersecurity traditionally has been the Chief Information Officer’s (CIO’s) domain. And while the CIO still plays a crucial role in cybersecurity, the threat is now truly an existential one for any organization, with significant ramifications that go well beyond an impact on systems. Indeed, cybersecurity risk runs across all departments, as previously noted: marketing to legal to compliance to product management, manufacturing, and even the supply chain, including third-party vendors. And as every one of those areas and every employee is connected online now, so is the cybersecurity risk connected across divisions — all need to be secure, or they jeopardize the other. It’s the CRO’s job to make that reality part of the organization’s collective consciousness. And while the CIO must take action within the context of a company’s technology, the CRO has the opportunity — indeed, the responsibility — to convene disparate stakeholders to unify the overall cybersecurity approach.
The CRO plays a key role in aggregating risk in addition to that of convening. Gaining the whole picture for the organization is vital. By convening all parties — the Chief Information Security Office (CISO), the Chief Marketing Officer (CMO), third-party risk management, and front-office IT departments — the CRO can truly aggregate the risk in ways that other executives cannot. In effect, third parties introduce new risk to the environment; different divisions employ new technology outside the purview of the IT department; and new technology within the product line creates front-office risk issues, as product support may require connectivity with consumers and customers. The CRO needs to lead the corporate assessment of all this risk.
A CRO should ensure his or her company is using advanced cybersecurity systems and analytics, particularly real-time dashboards. A CIO may be in charge of implementing these sorts of systems, but the CRO should insist on them for assessing risk on a minute-to-minute basis.
There is wide disparity among organizations as to the sophistication of these analytics. As noted above, financial services firms have largely figured out the need for protection. In fact, bank CROs generally already have taken on the responsibility of monitoring the risk portfolio in real time as their industry’s regulators have demanded that level of transparency.
However, non-financial industries that face regulation may be most likely to be pushed in this direction as they are asked to present their risk profiles. Indeed, regardless of industry sector, business line, or business model, every company faces this risk — and must acknowledge it. Once the dynamic and constant nature of the cyber threat is understood, the importance of these toolsets for all types of companies is clear. Surveying a constantly updated picture of the company’s risk portfolio is key to a CRO’s success.
As technology improves, those advancements could also work in favor of threat actors who have even more tools at their disposal. A global study by the Ponemon Institute released this past June found that data breaches, on average, cost companies $4 million (US) for each occurrence, with that amount increasing almost 30% over the last three years. That number was $7 million per occurrence for US-based businesses. While cybersecurity has become a major issue as a result of increasing losses, it’s obvious that tomorrow — and going forward — it will be of even greater importance as the threat grows exponentially. As the pace of technological change is only increasing, the need for cybersecurity measures will only continue to grow.
So far, cyber breaches have primarily resulted in theft of value — meaning measurable assets or a measurable impact on a company’s valuation, for instance — but have yet to create safety issues or cause loss of life. However, imagine the outcry if a car manufacturer’s computers that communicate periodic software patches to previously sold cars get breached — and as a result, control of vehicles on the road is compromised. While certain cases of cars being “hacked” demonstrate that theoretically someone could gain control of a vehicle, those issues have not occurred — or have not yet been reported — as a result. Yet companies and regulators will crack down fast when safety becomes the focus.
The modern CRO needs to establish a dynamic cyber risk assessment process that spans the entirety of their company and operates in near or real time, while continuing the role of forecasting and assigning risk in a more traditional sense. Increasingly, however, the CRO must manage all risk at the speed of the digital age.
Principal, PwC US