A new security role called the digital risk officer (DRO) is emerging in response to new cyber threats introduced by the Internet of Things (IoT), according to Gartner United States distinguished analyst Paul Proctor.
He has forecast that some enterprises will have a DRO or equivalent role by 2017 to handle risks that may emerge from the IoT.
"DROs will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for appropriately addressing digital business risk," he said in a statement.
According to Proctor, the scope of a DRO is “very different” to that of a chief information security officer (CISO).
“The DRO will report to a senior executive role outside of IT such as the chief risk officer, chief digital officer or the chief operating officer. They will manage risk at an executive level across digital business units working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations,” he said.
- How to present cyber security issues to the board
- Telstra CISO responds to customer data privacy concerns
- Top four tips to improve your security program
According to Proctor, IoT and connected devices form a “superset of technology” that challenges the ability of existing cyber security structures, skills and tools to manage technology risks.
“Simply expanding the portfolio of the existing IT security team to include technology risk for all Internet-aware technology is not viable,” he said.
“New technology managed outside of the IT department requires skills and tools beyond the competence of the IT security team in its current responsibilities, and the teams involved in management of these technologies are culturally distinct from the IT department.”
In addition, he said the development of a digital risk management capability requires deconstruction and re-engineering of enterprise structures and allocations of responsibility, as well as the development of new capabilities in security and risk assessment, monitoring, analysis and control.
"DROs will influence governance, oversight and decision making related to digital business. This role will work with CEOs and managing directors in various capacities to better understand digital business risk and facilitate a balance between the needs to protect the organization and the needs to run the business.”
Trying to bridge the “cultural gap” between DROs and CEOs presents a significant challenge, however. “Many executives believe technology – and technology-related risk – is a technical problem, handled by technical people, buried in IT. If this gap is not bridged effectively, technology and consequent business risk will hit inappropriate levels and there will be no visibility or governance process to check this risk,” he said.
According to a Gartner CEO and senior executive survey conducted in April 2014, 50 per cent of the 410 CEOs, CFOs, COOs and other executives who took part said they will have a senior digital leader role in their staff by the end of 2015.
The survey was conducted in Asia Pacific, North America, Europe, Japan, Brazil, South Africa and the Middle East. There were 154 responses from North America, 114 from Europe, 118 in APAC including 18 responses from Australian executives, 10 responses from Brazil, eight from South Africa and six responses from the Middle East.
In response, IDC Australia senior market analyst Vern Hue told CIO Australia that the firm doesn’t have a view that there will an “immediate new role” of a DRO established.
However, he said that there is a shift in how the chief information security officer (CISO) and chief security officer (CSO) roles are evolving to take on a more active role in cyber risk – both in terms of outlining frameworks and mitigation.
“Currently, most CISOs and CSOs also wear that hat particularly with the mitigation part of it, and that portion usually sits under the IT umbrella. But with more impending legislation in play, the risk framework is increasingly becoming more important and that will require a different mind and skillset that would deal primarily with the legal and operations teams,” he said.
“What Gartner describes as the DRO will have to deal with simplifying procedural issues, as currently, most processes in today’s corporations are cumbersome and involve too many manual processes.”
Follow Hamish Barwick on Twitter: @HamishBarwick
- Three reasons government tech projects fail
- Canberra public Wi-Fi network to power smart parking
- IT security needs to market itself to the business: Woolworths
- Department of Finance drafts cyber security clauses