Wanted: chief risk officer

Nine out of 10 IT security specialists at banks, financial institutions and energy related firms would rather report to a chief risk officer (CRO) than a finance director, new research has revealed.

At the same time more than half of senior IT managers think that their own IT departments are the largest threat to IT security, according to a study by information security services provider Defcom.

Some financial institutions, including Credit Suisse and GE Capital, have appointed CROs to boards and executive teams, mainly in the US, to manage credit, market, operational and 'reputation' risk.

David Howorth, business development director at Defcom, explained that support for the appointment of a CRO showed that risk management was moving up the corporate agenda.

"The CRO would not be compromised by having to deliver to tough financial performance targets or talk up the investment story," he said.

"This development would ensure that operational risk, including IT security, gets the increased attention it deserves at board level.

"IT wants a friendly face on the board to fight its corner rather than someone who says: 'That's a lot of money, what sort of return can I expect?'"

Although progress has been slow and predominately focused in the US, the accounting scandals at companies like Enron and MCI WorldCom have increased regulation and pressure from shareholders, and will certainly raise the profile of the CRO's role.

Meanwhile, two thirds of the senior IT security managers who took part in the survey believe that their employees pose a greater risk to corporate IT security than malicious hackers.

Security holes in corporate systems often open up during systems upgrades or when integrating new applications into core infrastructure, the respondents claimed.

Skills issues were also highlighted as a major security concern. Two thirds of respondents said that their IT departments lacked the requisite skills to handle today's widening spectrum of security threats.

And as security issues move further up the corporate agenda, senior IT security managers are increasingly involved in the management of physical security.

Some 70 per cent have taken on responsibility for reviewing physical access to corporate premises and computers.

The results are based on qualitative interviews with 20 senior IT security managers at household name banks, financial institutions and energy businesses.