With the Super Bowl just completed, corporate America might take this as a good time to step back and reevaluate how strong its offensive and defensive capabilities really are. With the economy showing signs of improvement, more companies are doing well on the offensive, or growth, side of their business. But the threat of cyber intrusion is growing by the minute and can potentially upend virtually every aspect of a company, from value and profits to brand and trust. That’s why boards of directors and chief executive officers would do well to follow the lead of another highly competitive business, professional football, and balance their attack on both sides of the ball. Winning and losing is something every board member and CEO can relate to.
Benchmark Executive Search believes what is missing in the industry management structure is a type of corporate defensive coordinator to oversee every aspect of security and risk. For public companies, the answer lies in the creation or elevation of the role of chief risk officer (CRO).
Ignore the Warning at Your Peril
With cyberattacks growing in magnitude, complexity, and frequency, large-scale security lapses have left untold numbers of companies vulnerable and defenseless. Major breaches cost industry billions of dollars each year – and it can take years to fully recover, or they can even crush a company. Organizations face a clear imperative: improve internal risk management platforms and get the right leaders into place.
Retired Army Gen. Keith B. Alexander, CEO of IronNet Cybersecurity and former director of the National Security Agency as well as former commander of the U.S. Cyber Command, recently publicly stated that “The value of theft of intellectual property from American industry represents the single greatest transfer of wealth in history and the probability of significantly disruptive and destructive attacks is rapidly increasing.”
Corporate leaders can ignore his warning at their own peril. Creating or bringing the role of the CRO up to the equivalent of the chief operating officer could spare a lot of companies crippling financial losses, operational setbacks, and the many related problems that would ensue. If it takes a company decades to establish value of $1 billion, $10 billion, or even $100 billion, then why is protecting and preserving this value given such insufficient priority, visibility and resources?
At public companies today, the CFO, general counsel, CIO and CISO typically each own a portion of the enterprise risk equation. The new CRO role would have responsibility, and more importantly, accountability for all enterprise risk, manage a small team representing each department, and report directly to the CEO. Think of the COO as the offensive coordinator who in the business world helps generate value, revenue, and profits. The next-generation CRO, on the other hand, would be the defensive coordinator who protects and preserves this value.
A New Kind of P&L Leader
Now is the time for organizations to act. If the board of directors and CEO fail to mandate this major structural and organizational change, and communicate to the entire company why a new culture of security is being implemented, then risk will continue to be fractured, siloed, and crisis driven; major breaches and hacks will continue to threaten a company’s future value and brand.
CEOs, COOs, and division leaders today manage a P&L – profit and loss. Benchmark envisions the next generation CRO will own a new kind of P&L – “prevention of loss.”
About the Author
Jeremy King is President of Benchmark Executive Search, a specialist recruiting firm serving the senior-level cybersecurity and national security talent needs of companies across the nation.