Gartner

Newsroom

STAMFORD, Conn., July 10, 2014 View All Press Releases

Gartner Says 2015 Will See the Emergence of Digital Risk and the Digital Risk Officer

Analysts to Focus on Digital Risk Trends at Gartner Security & Risk Management Summits 2014, August 25-26 in Sydney, September 8-9 in London and September 15-16 in Dubai

More than half of CEOs will have a senior "digital" leader role in their staff by the end of 2015, according to the 2014 CEO and Senior Executive Survey by Gartner, Inc. Gartner said that by 2017, one-third of large enterprises engaging in digital business models and activities will also have a digital risk officer (DRO) role or equivalent.

By 2020, 60 percent of digital businesses will suffer major service failures due to the inability of the IT security team to manage digital risk in new technology and use cases. IT, operational technology (OT), the Internet of Things (IoT) and physical security technologies will have interdependencies that require a risk-based approach to governance and management. Digital risk management is the next evolution in enterprise risk and security for digital businesses that are expanding the scope of technologies requiring protection.

"Digital risk officers will require a mix of business acumen and understanding with sufficient technical knowledge to assess and make recommendations for appropriately addressing digital business risk," said Paul Proctor, vice president and distinguished analyst at Gartner. "Many traditional security officers will change their titles to digital risk and security officers, but without material change in their scope, mandate, and skills they will not fulfill this role in its entirety."

The mandate and scope of a DRO is very different than a chief information security officer (CISO) and in many organizations the CISO role will continue with similar scope as in 2014. The DRO will report to a senior executive role outside of IT such as the chief risk officer, chief digital officer or the chief operating officer. They will manage risk at an executive level across digital business units working directly with peers in legal, privacy, compliance, digital marketing, digital sales and digital operations.

The IT security role remains relevant and vital. However, many CISOs will evolve into DROs as they begin to own or form effective partnerships with digital security teams managing other forms of technology. IT security leaders may continue with their assigned responsibilities that report to the DRO. As physical security management becomes increasingly digital, this will include the physical security teams as well.

The impact of this new structure of digital risk governance and management on IT and IT security operations is expected to be minimal, particularly in those enterprises that have already appointed a chief risk officer. However, the potential impact on the culture of IT and IT security teams is major.

IT, OT, IoT and physical security form a new superset of technology that challenges the ability of existing organizational structures, skill sets and tools to consistently and adequately assess, define and manage technology risks. Simply expanding the portfolio of the existing IT security team to include technology risk for all Internet-aware technology is not viable. New and existing technology managed outside of the IT organization requires skills and tools beyond the competence of the IT security team in its current responsibilities, and the teams currently involved in management of these technologies are culturally distinct from the IT organization.

A consistent, unified approach to digital risk at the enterprise level has the potential to deliver cost efficiencies and greater risk assurance for business processes than the fragmented approach currently in place at most enterprises. Development of a digital risk management capability requires deconstruction and re-engineering of current organizational structures and allocations of responsibility as well as the development of new capabilities in security and risk assessment, monitoring, analysis and control.

"By 2019, the new digital risk concept will become the default approach for technology risk management," said Mr. Proctor. "Digital risk officers will influence governance, oversight and decision making related to digital business. This role will explicitly work with non-IT executives in various capacities to better understand digital business risk and facilitate a balance between the need to protect the organization and the need to run the business. However, the cultural gap between IT and non-IT decision makers presents a significant challenge. Many executives believe technology — and therefore technology-related risk — is a technical problem, handled by technical people, buried in IT. If this gap is not bridged effectively, technology and consequent business risk will hit inappropriate levels and there will be no visibility or governance process to check this risk."

More detailed analysis is available in the report "Innovation Insight: Digital Business Innovation Risk — The Rise of the Digital Risk Officer." The report is available on Gartner's website at http://www.gartner.com/doc/2771823.

Additional information on the future of the security market is available in the Gartner Special Report "Security Futures: Prepare for the Peak — and Beyond." The special report can be viewed at http://www.gartner.com/technology/research/security-futures/ and includes links to reports and video commentary that examine threat-centric trends in security spending and staffing, and how to manage and thrive through what may be an unsustainable trajectory.

Gartner analysts will take a deeper look at digital risk at the Gartner Security & Risk Management Summit 2014. The Gartner Security & Risk Management Summit 2014 features six programs focusing on IT security, risk management and compliance, business continuity management, CISO roles, the marketplace for security and security architecture to deliver detailed, role-specific content and networking. Each program offers a full agenda of analyst sessions, keynotes, roundtable discussions, case studies, workshops and more.

Upcoming dates and locations for the Gartner Security & Risk Management Summit 2014 include:

August 25-26 in Sydney, Australia: http://www.gartner.com/technology/summits/apac/security/

September 8-9 in London, U.K.: http://www.gartner.com/technology/summits/emea/security/

September 15-16 in Dubai, UAE: http://www.gartner.com/technology/summits/emea/security-dubai/.

Members of the media can register for press passes to the Summits by contacting susan.moore@gartner.com (Sydney), laurence.goasduff@gartner.com (London) or sony.shetty@gartner.com (Dubai).

Information from the Gartner Security & Risk Management Summits 2014 will be shared on Twitter at http://twitter.com/Gartner_inc using #GartnerSEC.

Contacts
About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading information technology research and advisory company. We deliver the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the valuable partner to clients in over 9,000 distinct enterprises worldwide. Through the resources of Gartner Research, Gartner Executive Programs, Gartner Consulting and Gartner Events, Gartner works with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, USA, and has 6,400 associates, including more than 1,480 research analysts and consultants, and clients in 85 countries. For more information, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.

Gartner Insight
Gartner Webinars