Few would deny the chief security officer role has evolved quite a bit in recent years. At many large companies, the heads of both physical and information security now report in to the same person, an enterprise CSO. The pace of change for the function is accelerating along with the ever-changing nature of threats.
Today, many believe CSOs will morph, sooner rather than later, into chief risk officers (CROs), monitoring and mitigating enterprise risks, including those relating to information security and facilities (but excluding financial risks, which are covered by the more traditional CRO function in large companies). At a high level, the new responsibilities include understanding your company’s risk profile and risk appetite and then mitigating the risks accordingly.
Greg Thompson, vice president of enterprise security services and deputy CISO at Torontos Scotia Bank, already sees his role evolving into something like head of operational risk management. Scotia is Canada’s third largest bank.