More Chief Digital Risk Officers (CDROs) are now being appointed to hold strategic roles which combine digital expertise with high-level management skills.
According to a report jointly authored by BT and KPMG “Taking the Offensive – Working Together to Disrupt Digital Crime”, 26% of respondents confirmed that a CDRO has already been appointed, while the security role and its accountability is being re-examined.
David Ferbrache, KPMG technical director and former head of Cyber & Space at the Ministry of Defence, said that the role of the CISO is changing as a more technical CISO does not engage with the business, and does not do the translation well between technology and business functions, let alone understand what generates value for the business.
“As the business becomes more about the digital challenge, the priority for the business becomes a balance of risk and opportunity so they may want to exploit the challenges that it brings, but there is always a cyber-risk and you have to have those debates early on inside the team to develop a digital strategy around those digital platforms and go to market around them,” he said.
“It’s not about technical security; it is about those opportunities of balancing risk and opportunity.”
Ferbrache said that a convergence of security and digital elements will help manage the risk in an agile way, and he said that there is an evolution of cybersecurity with a different style of role for a CDRO and a different style of working and a holistic approach with detection, protection and recovery.
Asked if the role of a CDRO fits within the GDPR’s requirement of a Data Protection Officer, Mark Hughes, CEO Security at BT, said that there definitely is a big crossover, but often data may not be secure in the right jurisdiction, and there is a lot that the digital CDRO role will bring into the mix from a security point of view.
He said: “I work very closely with our head of data privacy and in the future I see things going forward with cooperation to get a strategy right for an organization and right for security, so I definitely see a crossover but I do not see a merger per se—but who knows what will happen in the future.”
Ferbrache said that he does see organizations with a CDRO, but often organizations such as banks have legacy systems which are wrapped with newer systems, and the security team often feels quite risk averse.
“My concern is you end up with stove pipes [for security and digital] and I don’t think that is sustainable over the long term, but in the digital team you will find the talent, and see plenty of CISOs who can contextualize security for the business,” he said.
Hughes said that in some principles there are organizations which do digital and security separately, and the two need to merge with the right focus in the right area.