This article in TechTarget Search Security accurately points out how as the effectiveness of enterprise IT security continues to deteriorate , the role of the CISO is increasingly being put up against impossible standards and unrealistic expectations.

Is the CISO job description getting out of hand?

What the article does not mention is how the decline in IT security is very much related to the “digitization” of business and is also fueling the advent of digital risk management (DRM) strategies and the emergence of the Digital Risk Officer (DRO).

It’s been well documented that the digitization of business has led to a dramatic improvements in productivity and business at all levels, but this “digitization” has also created a myriad of new risk factors that are compounding problems for the CISO and the IT organization. Risk is no longer limited to threats to traditional IT systems being monitored by traditional IT security systems. Operational technology and physical security are also becoming digitized and are increasingly interdependent with the IT systems and the Internet of Things (IoT), which requires a risk-based approach to governance and management.

If we agree that conventional cyber security is no longer the soles means for protecting the organization, particularly large organizations, then it stands to reason that the CISO must evolve and contribute as part of a new breed of DRM solutions that provide the foundation for managing risk across various functions by relying on the prioritization and quantification of the business impact of digital risk.

The good news for CISOs is that help is on the way


As we’ve noted previously, Gartner sees DRM as the next evolution in enterprise risk and security and DROs are leading this new discipline. The DRO is a senior executive in charge of the digital business with a role that is very different from the CISO. The DRO will manage risk from a business perspective and will directly work with peers in business operations, compliance and IT security. The DRO will also be tasked with bridging what undoubtedly will be a cultural divide between the CISO and IT organization and DRMs emphasis on digital risk from the business perspective.

At the same time, the responsibility for effectively securing and managing risks to the organization will start to shift from IT and the CISO to the DRO.

The DRO will work with the CISO but will ultimately be the one who is enabling business leaders to understand the risk profile of their operations from a business perspective and for the organization as a whole. The DRO will facilitate risk mitigation decisions based on the level of operational and financial risk.

In a nutshell, the key focus of DROs as they implement a DRM strategy:

  • Collaborate with the CISO’s and the business owners (CEO, COO)
  • Augment risk analysis and assessment activities by integrating operational and financial risk factors
  • Establish programs and teams where system designs and operations have built-in protection mechanisms that augment the ‘bolt-on’ security mechanisms implemented today
  • Establish integrated monitoring programs that are not just external threat intelligence monitoring but also includes the operational environment

To learn more and collaborate with like-minded others join us in the Digital Risk Management Institute.