Somewhat unsurprisingly, it’s been speculated that due to trends such as ‘Bring Your Own Device’ and the Internet of Things (IoT), IT security practices defined by the chief information officer will have to be expanded. According to Gartner, it will take the form of the ‘digital risk officer’ (DRO).
It will be their task to figure out and define the risks associated with their company’s digital innovation. The reasoning behind this new role us that by 2020, 60 per cent of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases. IT, operational technology (OT), IoT and physical security technologies will have interdependencies that require a risk-based approach to governance and management.
So digital risk management is now considered the next evolution in enterprise risk and security for digital businesses that are expanding the scope of technologies.
But how do you go about finding one Paul Proctor, vice president and analyst at Gartner suggests that digital risk officers will require a mix of business acumen and understanding with “sufficient technical knowledge to assess and make recommendations for appropriately addressing digital business risk.”
In most cases, many chief information security officer’s (CISO) will evolve into DROs as they begin to own or form effective partnerships with digital security teams managing other forms of technology.
“Although many traditional security officers will change their titles to digital risk and security officers, without material change in their scope, mandate, and skills they will not fulfil this role in its entirety,” Proctor adds.
The impact of this new structure of digital risk governance and management on IT and IT security operations is expected to be minimal, particularly in those enterprises that have already appointed a chief risk officer. However, the potential impact on the culture of IT and IT security teams is major.
“By 2019, the new digital risk concept will become the default approach for technology risk management,” said Proctor. “Digital risk officers will influence governance, oversight and decision making related to digital business. This role will explicitly work with non-IT executives in various capacities to better understand digital business risk and facilitate a balance between the need to protect the organisation and the need to run the business.”
“However, the cultural gap between IT and non-IT decision makers presents a significant challenge. Many executives believe technology and therefore technology-related risk is a technical problem, handled by technical people, buried in IT. If this gap is not bridged effectively, technology and consequent business risk will hit inappropriate levels and there will be no visibility or governance process to check this risk.”