Those pundits at Gartner are trying to coin a new phrase (like they did with portals) and have starting discussing the term “digital risk officer” (DRO). They state that the Chief Information Security Officer (CISO) now will develop a different profile to the DRO, as the CISO will focus on enterprise network security and compliance, while the DRO will oversee the CISO and focus efforts on the risks from digital innovation.
In a word, bullcookies.
The real issue is the evolution in the business model from IT being structurally a separate function to technology being the underpinnings of the whole business. The risk from any activity these days has digital components to it, and the additional endpoints that internet-enabled objects (IoT) bring to the firm is the same risk that humans that have internet ability bring, as all of them can be hacked or compromised. So you have many more endpoints to protect — this is not new. But the depth and breadth of what is in the operational frame of control is the question.
The COO needs to assess operational risk, both structurally and in terms of perimeter security. Risk is both strategic and operational, so digital risk is a vague term as it covers both strategic direction (loss of intellectual property) and operational effectiveness (security breaches, etc). From a public company perspective, the question is who is liable for the risk if not addressed?
Security needs to be baked into process, procedure and infrastructure so that all digital assets are securable. THAT is the message that needs to come out, not new titles and hierarchical job functions. #justmytwocents