CISOs, you've got a hard job. There are some new positions in the corporate org chart who are eager to take a piece of the infosec action to help you out. The question is, can you work with them, not against them, and ensure you keep your authority (and your paycheck)?
You go through this battle with the CIO already. So, what about the new Chief Data Officer and Digital Risk Officer? Are they friends or foes?
Chief Data Officer
Meet your new best friend.
You know those Social Security Numbers you'd like to encrypt, but you don't know all the places they're stored? And that pile of data you don't know how to classify (what's sensitive, what's useless, what needs to be saved, what can or must be deleted)? And those behavior analysis tools you bought to recognize when data is being accessed in an abnormal pattern...but you have no idea what the normal pattern is?
The chief data officer is going to help you with all of that.
The CDO's domain is "the who, what, when, where, how, and even why of data," says Todd Feinman, CEO of data management firm Identity Finder. It's work that typically falls under the job description of the CIO, says Feinman, "but it just doesn't get done."
The CDO usually reports to the CIO, but sometimes to the CEO with a "dotted line" to the CIO, says Feinman. Could the security department steal the CDO all for itself though? Feinman doesn't think so.
"The problem is, it's a data role, it's not a security role," he says. "The CDO doesn't necessarily have to be just for security purposes."
So, you may have to share them with other departments, but the good news is "we only see this as a friend [to the CISO]," says Feinman.
So don't feel the need to give this person an intimidating, bone-crushing handshake when you're introduced. He or she could be on your side, solving your shadow IT problem, zipping through e-discovery requests, and making your access controls much more effective. Plus, when you do experience a breach, you'll be grateful to your CDO for trimming down your PII database before the bad guys got to it.
Digital Risk Officer
Meet your new boss. (Or, the new you.)
Plenty of companies have Chief Risk Officers, but as organizations do more business online, the nature of their risk exposure changes. Add the Internet of Things to the mix and things get really interesting. For these reasons, some organizations have begun to add Digital Risk Officers to their teams who focus just on the risks that relate to a company's "digital operating model."
Gartner predicts that "by 2017 one-third of large enterprises engaging in digital businesses will have a digital risk officer or equivalent."
As a recent PwC Technology Institute report describes:
Digital risk governance requires a new set of mandates that expand beyond the traditional scope of Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Digital operating models need to incorporate many corporate functions, including marketing, merchandising, technology, customer support, and finance.
As the Internet of Things (IoT) magnifies increased dependencies and overlaps within your organization, your company may consider investing in developing a Digital Risk Officer (DRO).
According to PwC, some web security issues will fall under the DRO's bailiwick, including social media usage policies and fraudulent payments at online shops.
They will also have to manage financial, regulatory, and operational risks related just to the digital side of the business. As Heather Levy wrote for Gartner, DROs "will manage risk at an executive level across digital business units, working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations."