The Evolution of the Chief Risk Officer
It is amazing how much the cybersecurity industry has grown and evolved over the years. If you just look back even just a couple of years, the strategic conversations we were having have certainly changed. The space is evolving, and each of us in the industry are having to evolve with it to stay current. One area that has evolved greatly over time is risk management, specifically the role of the Chief Risk Officer.
To dig deeper on its evolution, I sat down with CEO and founder of Risk Neutral Jeff Sauntry on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. Read on for highlights from our conversation around risk management, the role of the Chief Risk Officer, and more.
Nabil: Let’s start by talking about risk management. How did you make that transition from cybersecurity to risk management?
Jeff: For me, it was a natural evolution to upskill my vocabulary as I started interacting with more senior business leaders and board members. When the board members and the C-suite have normal discussions, they’re still discussing challenges and opportunities, but they’re speaking in terms of risk, cost, and outcomes. In cybersecurity, we’re often discussing threats and consequences. Something was getting lost in translation, so I decided to build on my strong technical and cybersecurity background and dig into risk management and the ability to become a more effective communicator.
Nabil: What would you say are some of the key characteristics that make someone great at risk management?
Jeff: My whole career had risk management components to it, but I did not yet understand risk as an empirical domain. That’s one of the reasons I chose to make this pivot. I also made the investment of time and resources to go to Carnegie Mellon and get my Chief Risk Officer certification. What was great about that is I went from being very myopic, maybe talking about technology, operational, or compliance risk, and then opening my eyes to the fact that there are five major risk categories that every business has to worry about: Strategic risk – which is by far the most important if you don’t get that one right, nothing else matters – then operational, finance, compliance, and then reputational risk comes into play if any of the first four fail.
Nabil: Tell me more about your experience at Carnegie Mellon.
Jeff: Most of us in cybersecurity are very familiar with some of the great work Carnegie Mellon has done with the maturity model of Capability Maturity Model Integration (CMMI), the insider threat program, and they have been a great partner with the government in terms of coming up with funded cybersecurity programs. I was familiar with the quality of the Carnegie Mellon products and insights, and when I read the curriculum, I thought to myself, “this is going to be really awesome.” One thing I wanted to avoid was that I didn’t want the course to be comprised of completely fintech leaders. For a lot of people fintech and financial services firms lead the way in terms of Chief Risk Officers and managing risk from a quantifiable perspective. But I knew the risk domain was much bigger and I wanted to be a well-rounded risk professional. Having a very broad group of peers in my cohort really helped me as well as the caliber of instructors that they brought in that could talk about the different ways to look at risk. I feel that I can now talk about enterprise risk management programs and not have such a myopic view around cybersecurity-, technology-, or compliance-related risk.
Nabil: Do you think the way organizations approach cybersecurity risk today needs to evolve?
Jeff: One hundred percent! It’s one of those things that you’re embarrassed about because you’ve been part of the problem for so long. We have to take a hard look in the mirror. I’ve looked back at some of the conversations I’ve had and they’re almost cringeworthy. Given the knowledge I have gained in the last two years about risk management, I wish I could go back and redo conversations with certain clients.
Nabil: From your experience, how has the role of the Chief Risk Officer evolved?
Jeff: A big part of this evolution is the cybersecurity profession. In general, cybersecurity is very focused on technical skills. That’s naturally how a lot of us come up through our profession and education. But, it’s even more important to understand that if you can’t explain the outcome of your results or your findings, it’s not going to resonate with clients. It’s as if you never did a security engagement if you can’t get the message or the impact across. That’s where I think the risk management professional is evolving. Improving soft skills that so that cybersecurity risk can have a seat at the table rather than someone coming in to tell them that the sky is falling. The Chief Risk Officer has to be a true peer to the rest of the C-suite, they should even have a solid line into the board of directors. Most companies should think about having a dedicated Risk Management Committee at the management level that’s complemented by one at the board level so that risk gets the right amount of time and attention. Then, you’ll have people with the right skill set in the room having the right discussions.
One of the important things that came out the financial services industry is that they found if you embed risk managers structurally within each business unit there to please their boss and rubber stamp high risk decisions, it can end badly. This is part of what got us into the problem of the big financial meltdown in 2008/2009. It should have been a canary in the coal mine moment for risk management as a profession to say, “you have to be very careful about allowing the Chief Risk Officer to operate independently.” They need the right reporting structures and shouldn’t be allowed to be fired on a whim because they raised their hand and said, “I think this is a little too risky for us.” So, I think the evolution of the chief risk officer is at a very exciting point in time right now.
Nabil: Let’s talk a little bit about your advisory board work. Do you have any advice for others who are looking to work in that capacity?
Jeff: You need to be very pragmatic, just like you would plan your secondary education and your master’s degree in your career. From a board journey perspective, it’s very much the same thing. You should start with an organization that you’re passionate about in order to understand: What are the procedures? What are the roles that are played? What are the different committees? Then, as you decide that you want to pursue service on a private board or a public board, think about the additional skill sets that you may need related to your fiduciary responsibilities and insurance and what are some of the personal and professional liabilities. Set a game plan for yourself, make some investments of time and money, and really figure out what it takes to be a board professional. I think it’s very worthwhile. People with a strong technical and cybersecurity background definitely have something to contribute to advisory boards from a cognitive diversity perspective as organizations face digital transformations and threats from a wider range of actors each year.
Nabil: You are a scuba instructor and a captain of the US Merchant Marines. What parallels do you draw between being a scuba instructor or captain and risk management?
Jeff: All of us have something to learn from an environmental, social, and governance perspective. One of the reasons I’m a merchant marine captain is that people covet what they know. I thought it was extremely important to get people under the water and really understand things like what plastics are doing to our oceans to understand that, yes, the stuff you throw out your car actually does make it into environments that we care about.
Everything related to instructing scuba is about risk management. The standards they have for teaching, how many students you can have per instructor, the burden being on the instructor to determine whether it’s safe to do certain things, the insurance I have to carry – all that stuff is designed to minimize risk to the students and staff. It’s incredible how they handle violations of policy. There’s a professional journal and if somebody does something wrong, they put it out there for everyone to learn from.
The reality is when you take those people out onto the ocean and you’re responsible for them, you need to bring them back healthy and safe. This comes down to a couple thing: What experiences do I bring to those situations based on the training I’ve had on the water? What is the quality of the vessel and the equipment that I’m relying on to help me deal with those situations? How prepared am I for this situation? And those are the three things as a captain that you can control.
Those core concepts resonate with cybersecurity well. How prepared are you to do the job you’ve been asked to do as part of a team? How well have you prepared your organization to deal with a specific threat? That prudent mindset of being a good steward for the people you’re responsible for resonates with people in cybersecurity as well.