Axioms are common in the privacy and security space. One that has been popping up with more frequency is “privacy and security is an enterprise risk that requires an enterprise-wide effort to appropriately address.” It is easy to say, hard to execute and absolutely necessary.
We work with hundreds of companies a year during security incidents, proactive risk and security assessments, compliance advisory projects, and transactions. So we see the amount and variety of technology and digital assets in use at an entity, and we see the challenges in managing the attendant risks. Marketing tries out something new using a vendor that will put the entity’s data in the cloud without vetting the service or the contract through the security and legal groups. Security teams struggle to translate risks in terms that “non-techies” can understand to win enough resources to adequately secure an environment that increasingly has no boundaries. Legal teams are stretched thin and often learn of new initiatives only at a point when there is not enough time to have a meaningful impact. Rarely is there one person at the entity who has visibility to see the whole picture, let alone the skills, experience and dedicated role to adequately manage the risk.
Even though consulting companies like Gartner have been talking about the need for a chief digital risk officer (DRO) role for years, we rarely see that role except in a couple of highly regulated industries and entities that previously had significant incidents. And there are not a lot of people who have the mix of security, legal, and business knowledge and acumen to fill the role. But we are seeing changes. Just as we have seen big improvements in recent years to the sometimes icy relationships between internal security teams and in-house legal counsel, we encounter fewer people who are too intimidated by the mystique of “cyber” to actively participate. So we are seeing more small, informal working groups being developed to tackle these issues. Efforts to comply with the General Data Protection Regulation have been a big driver of this change. The new California Consumer Privacy Act will likely continue the trend. The attorneys participating in these informal risk working groups will be exposed to the security and business issues that will prepare them to fill a chief DRO role. And as entities see the impact the informal working groups are having and recognize that securing assets and data is much more complicated than hiring a security team, we can see more entities employing a chief DRO.