By Christiaan Engelbrecht, Financial Director, Rectron
For the last decade, key business judgements have been left in the hands of the CEO and Chief Financial Officer (CFO), with the Chief Technology Officer (CTO) overseeing important technology-related decisions – often in isolation from the rest of the business. But now with universal online access, a focus on going ‘paperless’ and the rise of the hybrid workforce due to COVID-19, the Chief Risk Officer (CRO) sitting in the back office on the first floor is more important than ever.
The core tenets of securing business have always been to maintain business continuity by ensuring the confidentially, integrity and availability of systems and information. The paradigm shift needed today becomes evident when one looks at the pace of evolution of threats as ICT has evolved during the last four decades compared to the last four years.
In the past, CROs typically managed risk-related duties within their respective specialised areas. But along came the Fourth Industrial Revolution (4IR) with technology reinventing the way businesses operate and forever transforming the role of the CRO.
Every technology that has reached momentum and become common place as a tool for progress and digital transformation has also become an opportunity for extortion or sabotage by cyber criminals. Now with the burst of staff required to work remotely there are additional complexities in securing company data while minimising the impact on productivity.
For example, IoT has shed a new light on data, accumulating it, analysing it and helping businesses to derive meaningful insights, while blockchain continues to simplify online banking transactions.
At Rectron we have seen the evolution ourselves as we begin to deal with our customers’ risk evangelists more and more. Someone that used to sit unnoticed in a back-office corner is now critical, because as business and technology models change, so do the associated risks. Businesses are more dependent on technology than ever before, and with this growing dependence, new risks have emerged for the CRO, such as cybersecurity, human resources (HR), and data privacy risks.
In fact, data protection has rapidly become a top priority for South African businesses. With the Protection of Personal Information Act officially in effect at the beginning of July, companies have under a year to fully comply. Within this time, they must ensure the correct tools and procedures are in place for processing, storing and securing data.
Accumulating vast amounts of data requires a data guardian, a custodian who understands the intricate data universe and can act as a gatekeeper to ensure its safe keeping. Stepping up to the challenge, CROs manage and mitigate the associated risks of 4IR, while implementing sufficient processes, controls and policies. Instead of being reactive, CROs are now proactive, identifying hidden risks, looking at what lies beneath, questioning the unknown.
The role of the CRO has become indispensable to executive teams. Seen as an advisor to the board and C-suite, CROs are key in crisis and essential when transitioning from crisis to recovery.
The CRO works closely with the IT department to identify what makes systems and applications vulnerable and ensure proper process documents are in place to enable the company to respond to any growing number of threats that might compromise security.
Advances in technology have seen new cybersecurity threats emerge, posing a real risk to businesses that are information and data-driven, as perpetrators’ methods become increasingly sophisticated.
According to a report by Bitdefender, 86% of information security professionals acknowledge that cybersecurity attacks across most common attack vectors have been on the rise during COVID-19.
And the rise in phishing, ransomware, social media threats and supply chain attacks has ultimately increased the scope of responsibilities for CROs.
HR risk management
CROs now have an influential role in HR processes, as their decisions on processes and policies impact the way HR operates, from contacting employees to analysing performance and storing documents.
This is particularly key since HR is making more use of data collection and analysis, and employees are becoming increasingly concerned over the safety of their personal data as more information about the risks to personal privacy is made widely available.
As companies go paperless, securing employee records requires new security measures. Best practice involves implementing security systems that can safely store this accumulation of digital data. A firewall is a must-have, but policies should also be enforced, governing who has access to employees’ confidential data.
CROs also need to get involved in setting best practice around the use of internal tools and resources, which should be restricted according to an employee’s role. Limiting access is key to ensuring sensitive information doesn’t fall into the wrong hands. The finer detail like remembering to deactivate users’ access when they leave the organisation is also critical. Social engineering is another key issue for CROs to manage as hackers try and steal sensitive company information by tricking employees into giving away key information. We saw just how damaging the effects of social engineering can be with the recent Experian breach, where millions of South Africans’ data was compromised. Training employees on the kind of ploys to look out for can go a long way in keeping them safe from opportunistic cybercriminals.
CROs need a reputable end-to-end cybersecurity solution in place to stay on top of their game. Since all digital initiatives are now hosted across clouds, CROs should look to a powerful cloud-based security solution like that offered by Microsoft Azure, which can help keep pace with the evolving threat landscape and secure their workloads across a hybrid environment.
The solution should include backup and disaster recovery, essential to the business’s ability to remain up and running in the face of unforeseen disruption. When it comes to implementing new technologies, CROs should interrogate the security behind the solution whether it be in the cloud or on premise. When dealing with a cloud solution it can be particularly helpful to read through the security whitepapers released by the vendor to understand how it secures its datacentres.
The right solution ultimately lowers the cyber risk for organisations. By deploying suitable application security systems, companies can mitigate today’s advanced threats.
In the pursuit of business continuity and availability of systems, IT professionals must go beyond the ABCs of security. It has become a choice of fighting technology with technology and finding the right partners to implement.
CROs have stepped out of the back office and into the boardroom. Coming from behind the scenes, today CROs are in the public spotlight. Often viewed as an unbiased ethics soundboard, the life of a CRO is by no means dull.