Enterprise Risk Management Transforms C Roles and Drives Brand Protection
By Michael Meyer, CRO & CSO, MRS
Do you remember the old nursery rhyme where two pigs didn’t prepare for the wolf’s huffing, puffing and trickery…but one pig did? So what did the one pig do differently than the others? He evaluated all of the current and future “wolf risks” better, decided what needed to be done - and did it!
While the nursery rhyme is quite old and simplistic, it perfectly illustrates why, even today, some businesses end up in the news like Sony, Target and Home Depot and some don’t. We all know why these things happen: the world changes and we as business leaders don’t react fast enough because we haven’t incorporated and embedded enterprise risk management into our corporate DNA.
With the risks such as data breaches increasingly becoming more common, complex and disparate in nature, our response, if it is to be successful, demands a broadly integrated approach that multiple roles in a business aren’t able to handle and manage. This, coupled with the need for decreased reaction time to events and threats (both internal and external), requires a streamlined reporting structure. So what we are seeing now for the first time is that many risk related tasks and job roles are being consolidated as the pace and breadth of digital interconnectivity quickly expands.
This accelerating consolidation and associated increase in span of control for risk management personnel has been years in the making via different waves and iterations of integration. The first wave where physical security merged with information security took years to happen. Next came risk, compliance, and privacy merging. Today all of these previously diverse areas are merging together quickly into a centralized enterprise risk function to improve risk recognition, clarity and response speed. Depending on company size and the industry, this function usually falls under a Chief Security Officer (CSO) or the Chief Risk Officer (CRO) role.
While some industries are still in the midst of this process, and grappling with these integrations, other industries, such as the financial sector have blazed the way. The financial sector was the first industry to experience this accelerating wave of risk and security mergers into a CRO function.
Protecting the brand is the most important responsibility of this new role
This was brought about as a necessary, purpose-driven, survival response because of increased targeting by hackers and near constant government regulatory oversight and enforcement activity.
This consolidation of multiple risk roles under the umbrella of enterprise risk management and a single C role has had a number of very important, and to this day, underappreciated transformative additions to the business. The most important addition is that, for the first time, companies now have a single C role responsible for brand protection. While you could say that the CEO or Executive team is responsible for this vital function, the truth is, before now when an event occurred, it was at best a nebulous hierarchy of responsibility with finger pointing everywhere. To put it bluntly-protecting the brand is the most important responsibility of this new role.
Another addition that is realized by consolidating these different organizational roles into one C role is that it yields a new way of thinking about standardizing enterprise risk management and choosing or building an associated risk management framework. While there are many frameworks out there for businesses to model, most are guides on how things should work academically or in theory, instead of being based in day-to-day practicality for most businesses to use. Some provide great structural and organizational foundations like ISO 31000, COBIT or COSO, but lack the narrow focus that most businesses can use or start to apply quickly.
While each framework has its ardent adherents who can argue the pros of each, the best place to start in order to protect the brand is by looking at the business as a whole and finding which parts of these frameworks (or a combination of them) are closest to where you are now or to where you want to be. The next two steps in the process are the hardest. First, mapping your existing business processes and risks to the chosen or built framework and second, creating your plan to address the identified risks in priority order. While these steps are easy to say, they aren’t easy to do.
One of the things that we discovered going through this brand protection process is that client and customer data are the most important asset that we have to protect. We addressed this risk through three major steps. The first was to encrypt client / customer data at rest. The second was to treat every PC as a major risk point. In addition to having anti-malware, we added an additional preventative step by installing the Enhanced Mitigation Experience Tool (EMET) from Microsoft. This tool is one of the most important and useful security tools that most security people have never heard of and it is provided at no cost. The third was to have different brands of external and internal firewalls, block countries inbound and outbound where we weren’t conducting business, and for those that we did, to set threshold and frequency alerts on exfiltration of data. While we have many other security and enterprise risk management processes in place as a result of our brand protection process, the previous three building blocks represent foundational security measures that any organization can use to help protect their brand.
In the end, the organization that prepares itself holistically to handle modern day risks by consolidating all enterprise risk management functions under one dedicated C title—Survives.