With cyberattacks making headlines almost on a daily basis, the role of the chief risk officer (CRO) is important now more than ever before. In addition to analyzing, monitoring, predicting, mitigating and evaluating many types of risks and conditions, chief risk officers (CRO) are held responsible for ensuring compliance to rapidly evolving industry regulations and analyzing IT operations to prevent data leakage.
According to Amir Mizhar, Chief Software Officer and Founder of Safe-T, and an expert white-hat hacker, there are six major forces at play that are increasing enterprises’ dependence on their CRO.
Increasing Regulatory Pressure
Regulations like Sarbanes–Oxley Act (SOX), the Payment Card Industry – Data Security Standard (PCI-DSS), ISO 27001, or the Basel II Accord mandate the strict protection of sensitive personal financial information. As a result, companies are forced to analyze and integrate all of their business processes that involve the access and sharing of sensitive data. The CRO’s role of understanding, integrating and then responding to regulatory requirements is critical to manage the operational complexity of compliance, while preventing data leakage.
Consumerization of Enterprise Data
Now that mobile computing has become the norm, anytime and anywhere connectivity with high-volume portable data storage has created new data vulnerabilities. In addition, the use of social media for crowd sourcing has created an increased risk of unintentional sharing of personal and company data, making it easy prey for cyberattacks. A CRO is essential for defining and enforcing policies for preventing data leakage as a result of increased exposure of sensitive data, he says.
Growth in Cloud Computing
All too often, line-of-business users are establishing applications and moving data into the cloud without understanding all the security implications. The data breach at Target was one of a series of startling thefts that took place during the normal processing and storage of data in the cloud. Clouds represent concentrations of corporate applications and data, and if any intruder penetrates far enough, who knows how many sensitive pieces of information will be exposed. In order to prevent data loss, all risks need to analyzed and preempted by a CRO, Mizhar says.
Rise of Internal Fraud
The CRO needs to be aware that the threat can also come from within. According to the latest study of Association of Certified Fraud Examiners, businesses lose close to five percent of their revenues each year due to insider fraud which is eroding their data integrity and security, consumer confidence and bottom line. “This is especially true when employees are familiar with the controls that have been put in place, and can try to circumvent them,” Mizhar says. “When companies require certain transactions to be authorized by a second employee, the fraudsters can work together to ensure that fraudulent activities are approved. Bank employees who know the size of transactions that will set a red flag for suspicious activity can syphon off smaller amounts of money over a longer periods of time to avoid detection. Having a risk officer who can analyze processes across departments and between suppliers and partners provides a needed layer of data protection.”
Creating New Lines of Defense
“The role of the CRO involves meeting with peers, vendors and industry security experts to discuss challenges, recent cyberattacks and mitigation strategies and then apply this information to their own environment,” Mizhar says. “Having a diverse group of experts within their network is critical to predicting potential negative outcomes. By modeling and predicting detrimental events in a proactive manner, the CRO can be much more successful in controlling potential cyberattacks and information loss.”
Today many enterprises need to invest time and money on multiple solutions from including secure email, file transfers, mobile communications and cloud data protection. A CRO is able to combine the requirements and recommend an integrated solution. In addition to the improved usability and lower operational costs, using a uniform method to secure sharing reduces the risk that a security breach will go undetected.
Out of all of the reasons above, the number one reason an enterprise needs a CRO, Mizhar says, is for a “senior level single point of contact for risk oversight across an entire organization. A CRO can provide expert leadership and guidance in the areas of risk analysis and compliance related topics. The CRO should also provide insight to the senior-level executives as to the current state of the firm’s overall risk that might not be otherwise be obvious at an operational level. In addition, a CRO can work with a CSO by providing him/her with information from another group or outside entity involving a past or potential future threat in an effort to minimize or eliminate loss. Basically, rolling risk into a single point of contact for a firm and making sure that information is shared across the organization.”