The Next Chief Risk Officer: Are You Sure?

 It is was 6:15 AM, and I was about half done with my daily workout on the treadmill in my basement. I was watching "First Business" out of Chicago. The topic was Aon's 2009 Global Risk Management Survey, and the interview really surprised me.   

 Laura Taylor of Aon described the top ten list and how things changed from 2007. She even made a few predictions about 2011. According to the survey respondents, the Top 10 most pressing risks are:

1. Economic slowdown


2. Regulatory/legislative changes


3. Business interruption


4. Increasing competition


5. Commodity price risk


6. Damage to reputation


7. Cash flow/liquidity risk


8. Distribution or supply chain failure


9. Third-party liability


10. Failure to attract or retain top talent

 I stopped the treadmill. (I never do that.)  OK, where's cyber?  How about data breach, information security, identity theft, hackers, viruses, worms, protecting critical infrastructure or anything remotely related to securing computers or technology?  No mention of Payment Card Industry (PCI) compliance, protecting health records or other personal information, extortion attempts against companies and governments or foreign governments spying on companies.

What's up with that? Do these results surprise you as much as they did me?

I know, I know, a contrary argument can be made that information security risk and/or other IT risks are built into most one of these items. It is true that business reputation includes online activities, but aren't we stretching things if we go down that road? The "virus example" given for business interruption was the "Swine Flu" virus.       

There are many implications of this survey for CSOs, CISOs and other IT professionals. The survey helps security staff understand and use business language to describe risk. But there's another interesting ramification to these results which may impact your career. The Internet is full of stories about security governance and the proper role of the CSO. Many articles suggest that CSOs or CISOs will ultimately become (or merge with) the new "hot job" called Chief Risk Officer (CRO) - reporting to company CEOs. Similar stories go back to my early days as a CISO in 2003.

 One of the first articles I read at CSOonline.com was from the very talented Vice President and CISO from Motorola, Bill Boni. I've learned much from Bill over the years, and I respect and admire his approach to security and risk.  Bill's view on this topic? "As the role develops, the CSO will become more of a chief risk officer, an executive in charge not only of the technological risks a company may face but also the business risks married to security concerns."    

 Bill's described path for CSOs to become CROs became my career perspective during the years I served as Michigan's CISO (from May 2002 until January 2009). The Chief Risk Officer role seemed like a logical next step for my career. But as the CRO role continues to grow in importance, the path to a CRO may be different than many CSOs think.  Most skills listed have little to do with technology.

 A few disclaimers: I think the CSO and CISO roles are more alive and healthy today than ever before. I don't think they are going away anytime soon. My move to Chief Technology Officer (CTO) had nothing to do with any fears for the security profession. In fact, I get more internal and external contacts than every before - people who ask about how they can become CISOs. Perhaps the industry is heading towards a Chief IT Risk Officer as Gartner described late last year. That role would report to a company or government-wide CRO. But I still like CISO's reporting to CIOs, if the CIO reports to the Governor (or CEO) and runs IT.

 Hopefully the main point of this blog is clear: broadening your perspective on risk can help. Keep trying to see the business point of view. Don't back down on technology issues, but be open to new angles and listen to their problems.

Or getting more personal, if you think you'll be the next Chief Risk Officer, are you sure?