Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

09:30 AM
Connect Directly

The CISO's New Best Friend & New Boss

What does the rise of the chief data officer and the digital risk officer mean for the chief information security officer?

CISOs, you've got a hard job. There are some new positions in the corporate org chart who are eager to take a piece of the infosec action to help you out. The question is, can you work with them, not against them, and ensure you keep your authority (and your paycheck)?

You go through this battle with the CIO already. So, what about the new Chief Data Officer and Digital Risk Officer? Are they friends or foes?

Chief Data Officer

Meet your new best friend.

You know those Social Security Numbers you'd like to encrypt, but you don't know all the places they're stored? And that pile of data you don't know how to classify (what's sensitive, what's useless, what needs to be saved, what can or must be deleted)? And those behavior analysis tools you bought to recognize when data is being accessed in an abnormal pattern...but you have no idea what the normal pattern is?

The chief data officer is going to help you with all of that.

The CDO's domain is "the who, what, when, where, how, and even why of data," says Todd Feinman, CEO of data management firm Identity Finder. It's work that typically falls under the job description of the CIO, says Feinman, "but it just doesn't get done."

The CDO usually reports to the CIO, but sometimes to the CEO with a "dotted line" to the CIO, says Feinman. Could the security department steal the CDO all for itself though? Feinman doesn't think so.

"The problem is, it's a data role, it's not a security role," he says. "The CDO doesn't necessarily have to be just for security purposes."

So, you may have to share them with other departments, but the good news is "we only see this as a friend [to the CISO]," says Feinman.

So don't feel the need to give this person an intimidating, bone-crushing handshake when you're introduced. He or she could be on your side, solving your shadow IT problem, zipping through e-discovery requests, and making your access controls much more effective. Plus, when you do experience a breach, you'll be grateful to your CDO for trimming down your PII database before the bad guys got to it.

Digital Risk Officer

Meet your new boss. (Or, the new you.)

Plenty of companies have Chief Risk Officers, but as organizations do more business online, the nature of their risk exposure changes. Add the Internet of Things to the mix and things get really interesting. For these reasons, some organizations have begun to add Digital Risk Officers to their teams who focus just on the risks that relate to a company's "digital operating model."

Gartner predicts that "by 2017 one-third of large enterprises engaging in digital businesses will have a digital risk officer or equivalent."

As a recent PwC Technology Institute report describes:

Digital risk governance requires a new set of mandates that expand beyond the traditional scope of Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Digital operating models need to incorporate many corporate functions, including marketing, merchandising, technology, customer support, and finance.

As the Internet of Things (IoT) magnifies increased dependencies and overlaps within your organization, your company may consider investing in developing a Digital Risk Officer (DRO).

According to PwC, some web security issues will fall under the DRO's bailiwick, including social media usage policies and fraudulent payments at online shops.

They will also have to manage financial, regulatory, and operational risks related just to the digital side of the business. As Heather Levy wrote for Gartner, DROs "will manage risk at an executive level across digital business units, working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version allows unauthenticated remote attackers to start a telnetd service on the device.