Most recent

Do you need a Chief Risk Officer (CRO) in your firm?

By Tom Skeen

In times of cyber attacks and information loss occurring daily, the role of the Chief Risk Officer (CRO) is more important right now than ever before. This corporate position has responsibility for analyzing, monitoring, predicting, mitigating and evaluating many types of risks and conditions - but in the context of this blog we are going to focus on the Information Technology side of it.

Lets start with the CRO’s oversight with the corporate IT Audit, as it is critical in every firm whether small or large. Most might think that an audit is only performed to find faults with the way that engineers and managers are doing their jobs. Although that is one contributing factor to some audit issues, it isn’t the main reason for the audit. In fact, the main purpose is to find the risk, analyze the risk and remediate it before an actual undesirable event occurs. The CRO should create an environment where managers, engineers and other supporting staff are encouraged to openly self-report issues in a proactive manner. This will fast-track mitigation of issues and allow for auditors to focus on areas that are not yet identified.

Another area, which is an equally important function of the CRO, is predicting events. This can be accomplished by being in-touch with what is happening in the market. The CRO should regularly meet with peers, vendors and industry security experts to discuss challenges, recent cyber attacks, and mitigation strategies and then apply this information to their own environments and issues. Having a diverse group of experts within their network is critical to predicting potential negative outcomes. By modeling and predicting detrimental events in a proactive manner, the CRO will be much more successful in controlling cyber attacks and information loss.

If the dreaded cyber attack does occur, the CRO’s team must be able to retain the forensic data and information to evaluate the event, and in some cases to meet certain regulatory requirements. This must be planned and a strategy put into place well in advance of an actual attack. Capturing and preserving system logs, events, actions taken, keystrokes and credentials used are just some important pieces of information that must be retained for proper analysis. The post-event team will attempt to re-create the actions taken by the intruders in an effort to mitigate in the future and assist law enforcement officials in the identification of the cyber criminals. There would be nothing worse than having a cyber attack and not being able to determine, in an expeditious manner, how it occurred - as this would leave the firm vulnerable to another similar attack.

Although these are just a few of the most critical functions of the Chief Risk Officer, you can clearly see that this position is essential in the protection of information, mission-critical environments and creating an inclusive security and risk strategy.

Your Chief Risk Officer is essential to the success of your firm.

All posts