Large organisations are increasingly threatened by digital risks, yet the world’s population of chief digital risk officers could fit into a London taxi. Finding people with the right mix of skills for this crucial role is a significant challenge – and one that must be overcome.
Gartner Consulting has predicted the rise of the CDRO since 2014. However, while there are more than 2,000 people worldwide with the ‘chief risk officer’ title, a LinkedIn search in late 2018 still turns up just a handful of CDROs.
There’s no shortage of issues for these specialists to sink their teeth into. Big companies everywhere are implementing digital transformation projects, which bring myriad extra risks. Data scandals and cyber security hit the headlines regularly, propelling these issues to the top of corporate agendas.
And regulators have been busy in this space. The General Data Protection Regulation is now in effect in the EU, while the California Consumer Privacy Act will be implemented in 2020. The US Congress is also considering comprehensive privacy legislation.
Such developments are forcing businesses to look closely at their data practices and address the often-segmented nature of their systems, according to a 2018 Gartner report. A CDRO can spearhead an integrated approach and play a pivotal role in deciphering risks, pushing improvements, and translating the results for customers and regulators.
But here lies the rub. To carry out this work successfully, CDROs need to be innovative, outcome-driven, and commercially and politically savvy, according to Gartner. They also need skills in design, programme management, risk management and business analysis. This collection of abilities is very hard to find in any one person.
Yet that is no excuse. Companies must overcome the skills challenge, because without a CDRO, they will be exposed to undue risk of severe financial and reputational impacts.
The current lack of holistic control in many organisations is dire. According to the Gartner report, traditional cyber security teams are not prepared to address new risks introduced by digital business initiatives. While 68 per cent of organisations with such initiatives now have a cybersecurity expert, they are still incapable of managing wider digital risk, it states. By the time the need for integrated risk management becomes clear, it is often too late, the report added.
A blog by Craig Hoffman, a partner at Cincinnati-based law firm BakerHostetler, outlines the severity of the skills shortage.
“We work with hundreds of companies a year during security incidents [and other digital risk-related activities],” he states. “We see the amount and variety of digital assets in use, and the challenges in managing the attendant risks. But we rarely see a CDRO – one person who has [the overall] visibility, let alone the skills, experience and dedicated role to manage the risk. Few people have the mix of security, legal and business acumen to fill the role.”
Still, Mr Hoffman sees signs that more companies recognise the need for a CDRO, thanks to regulations like GDPR and CCPA, and anticipates more entities filling the role.
Peter Lefkowitz is chief privacy and digital risk officer at multinational software firm Citrix, and chairman of the International Association of Privacy Professionals. At Citrix, his role is to define and uphold privacy standards for customer data, no matter where it is used or accessed. His work also covers a broad range of topics tied to data and systems management, including privacy compliance, advising on vendor risk management, data protection reviews for products and systems, and customer and public policy engagement. This goes beyond a traditional chief privacy officer role to incorporate data strategy and security across products and cloud solutions, he says.
Large organisations need CDROs because customers are increasingly knowledgeable about issues around security, privacy and compliance, and expect transparent and responsible data practices from providers, Mr Lefkowitz says. He thinks this will drive a growth in the number of CDROs and similar roles, an expansion that “will also be forced by the progression of privacy and data security laws globally to incorporate accountability,” he added.
“The CDRO role demonstrates that we take our responsibilities seriously for all the data we manage for our customers, employees and partners.”