Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

09:30 AM
Connect Directly

The CISO's New Best Friend & New Boss

What does the rise of the chief data officer and the digital risk officer mean for the chief information security officer?

CISOs, you've got a hard job. There are some new positions in the corporate org chart who are eager to take a piece of the infosec action to help you out. The question is, can you work with them, not against them, and ensure you keep your authority (and your paycheck)?

You go through this battle with the CIO already. So, what about the new Chief Data Officer and Digital Risk Officer? Are they friends or foes?

Chief Data Officer

Meet your new best friend.

You know those Social Security Numbers you'd like to encrypt, but you don't know all the places they're stored? And that pile of data you don't know how to classify (what's sensitive, what's useless, what needs to be saved, what can or must be deleted)? And those behavior analysis tools you bought to recognize when data is being accessed in an abnormal pattern...but you have no idea what the normal pattern is?

The chief data officer is going to help you with all of that.

The CDO's domain is "the who, what, when, where, how, and even why of data," says Todd Feinman, CEO of data management firm Identity Finder. It's work that typically falls under the job description of the CIO, says Feinman, "but it just doesn't get done."

The CDO usually reports to the CIO, but sometimes to the CEO with a "dotted line" to the CIO, says Feinman. Could the security department steal the CDO all for itself though? Feinman doesn't think so.

"The problem is, it's a data role, it's not a security role," he says. "The CDO doesn't necessarily have to be just for security purposes."

So, you may have to share them with other departments, but the good news is "we only see this as a friend [to the CISO]," says Feinman.

So don't feel the need to give this person an intimidating, bone-crushing handshake when you're introduced. He or she could be on your side, solving your shadow IT problem, zipping through e-discovery requests, and making your access controls much more effective. Plus, when you do experience a breach, you'll be grateful to your CDO for trimming down your PII database before the bad guys got to it.

Digital Risk Officer

Meet your new boss. (Or, the new you.)

Plenty of companies have Chief Risk Officers, but as organizations do more business online, the nature of their risk exposure changes. Add the Internet of Things to the mix and things get really interesting. For these reasons, some organizations have begun to add Digital Risk Officers to their teams who focus just on the risks that relate to a company's "digital operating model."

Gartner predicts that "by 2017 one-third of large enterprises engaging in digital businesses will have a digital risk officer or equivalent."

As a recent PwC Technology Institute report describes:

Digital risk governance requires a new set of mandates that expand beyond the traditional scope of Chief Information Security Officer (CISO) and Chief Risk Officer (CRO). Digital operating models need to incorporate many corporate functions, including marketing, merchandising, technology, customer support, and finance.

As the Internet of Things (IoT) magnifies increased dependencies and overlaps within your organization, your company may consider investing in developing a Digital Risk Officer (DRO).

According to PwC, some web security issues will fall under the DRO's bailiwick, including social media usage policies and fraudulent payments at online shops.

They will also have to manage financial, regulatory, and operational risks related just to the digital side of the business. As Heather Levy wrote for Gartner, DROs "will manage risk at an executive level across digital business units, working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.