While many organizations understand the need for a security executive, organizations that have taken a holistic approach, have added the chief risk officer (CRO) position to evaluate all organizational risk. After speaking with academics, experts and executives in the risk and security field, I have found an increasing interest toward risk identification and mitigation and identified key factors in developing the ideal role and finding the perfect candidate for any enterprise.
The CRO takes a higher-level approach than the chief security officer (CSO), who is tasked with overseeing the physical and/or cybersecurity of an organization. The CRO looks at all aspects of risk and how it may affect an organization. This includes physical security and cybersecurity, but also may include financial, insurance, reputational and other risks.