I want to be a Chief Risk Officer (said no one…. ever)

Issue 9 2020 Security Services & Risk Management

For the last decade, key business judgements have been left in the hands of the CEO and chief financial officer (CFO), with the chief technology officer (CTO) overseeing important technology-related decisions – often in isolation from the rest of the business. But now with universal online access, a focus on going ‘paperless’ and the rise of the hybrid workforce due to COVID-19, the chief risk officer (CRO) sitting in the back office on the first floor is more important than ever.

The core tenets of securing business have always been to maintain business continuity by ensuring the confidentially, integrity and availability of systems and information. The paradigm shift needed today becomes evident when one looks at the pace of evolution of threats as ICT has evolved during the last four decades compared to the last four years.

In the past, CROs typically managed risk-related duties within their respective specialised areas. But along came the Fourth Industrial Revolution (4IR) with technology reinventing the way businesses operate and forever transforming the role of the CRO.

Advances and extortion

Every technology that has reached momentum and become commonplace as a tool for progress and digital transformation has also become an opportunity for extortion or sabotage by cyber criminals. Now with the burst of staff required to work remotely there are additional complexities in securing company data while minimising the impact on productivity.

For example, IoT has shed a new light on data, accumulating it, analysing it and helping businesses to derive meaningful insights, while blockchain continues to simplify online banking transactions.

At Rectron we have seen the evolution ourselves as we begin to deal with our customers’ risk evangelists more. Someone that used to sit unnoticed in a back-office corner is now critical, because as business and technology models change, so do the associated risks. Businesses are more dependent on technology than ever before, and with this growing dependence, new risks have emerged for the CRO, such as cybersecurity, human resources (HR), and data privacy risks.

In fact, data protection has rapidly become a top priority for South African businesses. With the Protection of Personal Information Act officially in effect at the beginning of July 2021, companies have under a year to fully comply. Within this time, they must ensure the correct tools and procedures are in place for processing, storing and securing data.

Accumulating vast amounts of data requires a data guardian, a custodian who understands the intricate data universe and can act as a gatekeeper to ensure its safekeeping. Stepping up to the challenge, CROs manage and mitigate the associated risks of 4IR, while implementing sufficient processes, controls and policies. Instead of being reactive, CROs are now proactive, identifying hidden risks, looking at what lies beneath, questioning the unknown.

The role of the CRO has become indispensable to executive teams. Seen as an advisor to the board and C-suite, CROs are key in crises and essential when transitioning from crisis to recovery.

Security risks

The CRO works closely with the IT department to identify what makes systems and applications vulnerable and ensure proper process documents are in place to enable the company to respond to any growing number of threats that might compromise security.

Advances in technology have seen new cybersecurity threats emerge, posing a real risk to businesses that are information- and data-driven, as perpetrators’ methods become increasingly sophisticated. According to a report by Bitdefender, 86% of information security professionals acknowledge that cybersecurity attacks across most common attack vectors have been on the rise during COVID-19.

And the rise in phishing, ransomware, social media threats and supply chain attacks has ultimately increased the scope of responsibilities for CROs.

HR risk management

CROs now have an influential role in HR processes, as their decisions on processes and policies impact the way HR operates, from contacting employees to analysing performance and storing documents. This is particularly key since HR is making more use of data collection and analysis, and employees are becoming increasingly concerned over the safety of their personal data as more information about the risks to personal privacy is made widely available.

As companies go paperless, securing employee records requires new security measures. Best practice involves implementing security systems that can safely store this accumulation of digital data. A firewall is a must-have, but policies should also be enforced, governing who has access to employees’ confidential data.

CROs also need to get involved in setting best practice around the use of internal tools and resources, which should be restricted according to an employee’s role. Limiting access is key to ensuring sensitive information doesn’t fall into the wrong hands. The finer detail, like remembering to deactivate users’ access when they leave the organisation, is also critical.

Social engineering is another key issue for CROs to manage as hackers try to steal sensitive company information by tricking employees into giving away key information. We saw just how damaging the effects of social engineering can be with the recent Experian breach, where millions of South Africans’ data was compromised. Training employees on the kind of ploys to look out for can go a long way in keeping them safe from opportunistic cybercriminals.

Tech-savvy solution

CROs need a reputable end-to-end cybersecurity solution in place to stay on top of their game. Since all digital initiatives are now hosted across clouds, CROs should look to a powerful cloud-based security solution like that offered by Microsoft Azure, which can help keep pace with the evolving threat landscape and secure their workloads across a hybrid environment.

The solution should include backup and disaster recovery, essential to the business’s ability to remain up and running in the face of unforeseen disruption. When it comes to implementing new technologies, CROs should interrogate the security behind the solution, whether it is in the cloud or on premise. When dealing with a cloud solution, it can be particularly helpful to read through the security whitepapers released by the vendor to understand how it secures its datacentres.

The right solution ultimately lowers the cyber risk for organisations. By deploying suitable application security systems, companies can mitigate today’s advanced threats.

In the pursuit of business continuity and availability of systems, IT professionals must go beyond the ABCs of security. It has become a choice of fighting technology with technology and finding the right partners to implement it.

CROs have stepped out of the back office and into the boardroom. Coming from behind the scenes, today CROs are in the public spotlight. Often viewed as an unbiased ethics soundboard, the life of a CRO is by no means dull.


Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Communication in any situation
Issue 8 2020, Elvey Security Technologies , Global Communications , Security Services & Risk Management
Global Communications offers an industry-first with five-year warranty on select Kenwood two-way radios.

Read more...
The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Read more...
Free-flow smart weapons detection system
Issue 8 2020, XPro Security Solutions , News, Security Services & Risk Management, Products
Detecting people carrying weapons and preventing them from entering your venue is now possible, without sacrificing the visitor experience.

Read more...
Meeting compliance obligations
Issue 7 2020 , Security Services & Risk Management
Helping businesses in SA understand and meet their compliance obligations to local regulations.

Read more...
Business continuity through a COVID-19 lens
Issue 8 2020 , Security Services & Risk Management
COVID-19 has brought business continuity under scrutiny, with the opportunity to enhance resilience into the future.

Read more...
7 Arrows becomes a part of Fidelity ADT
Issue 8 2020, Fidelity ADT , News, Security Services & Risk Management
Fidelity ADT and 7 Arrows have concluded an acquisition agreement effective 1 October 2020. 7 Arrows will now form a part of Fidelity ADT.

Read more...
Industrialisation or imperialism?
Issue 7 2020 , Security Services & Risk Management
4IR has to be a matter of national agenda; national economic and political sovereignty and national security - necessitating commensurate prioritisation.

Read more...
Password vulnerabilities in South Africa
Issue 7 2020 , Security Services & Risk Management
Research from Kaspersky has shown that people are putting their online safety at risk by making bad password decisions and simple password mistakes that may have far-reaching consequences.

Read more...
The greatest crime-fighting weapon is predictably
Issue 7 2020 , Security Services & Risk Management
Predictability fuelled by artificial intelligence (AI) and big data has the ability to reduce violent crimes by 25% by 2023 according to Aura.

Read more...
PCI DSS can be your PoPIA security blueprint
Issue 6 2020, Galix Group , Security Services & Risk Management
Some of the requirements of PCI DSS can also be used to comply with PoPIA, South Africa’s data privacy law.

Read more...