AAA IRBYGiven ISO 9001:2015, we see new emphasis on executive involvement, who may even be the Chief Risk Officer (CRO) someone with lots of experience, most probably in IT, operations, legal or accounting.

Now let’s look at IT side of the risk business, where the CRO will need allies who grew up in computer science or something similar (philosophy?).  Since IT is integral to all processes and project, we think that this is where we think most risks will reside.  The CRO’s best friend may be the CEH, the Certified Ethical Hacker.

Friends in IT

The CRO needs a small team of CEHs in IT to help detect and manage risks.  The implication is not that others are unethical, but that it’s only worth certifying a few in order to spread the risk – control culture.  Those wishing to take certification exams are welcome to do so, but a CRO should not feel obligated to fund everyone’s training in that regard.  Make room for the para-CEH, who may know the subject inside and out yet not be certified.

Given the topic we’re talking about, hacking, one has to imagine the soap opera in which a CEH has gone rogue, and is using the certification as a cover for nefarious activities.  In the meantime, a newcomer to the company, but one with vast skills, discovers the problem but has no CEH status in the eyes of the CRO.  I’ll leave it to the reader as an exercise to keep going with the season (it’s a soap opera after all), which may fork in many directions.

Sharing Responsibility

My point is that we always need to remember that people are people and slapping titles on them doesn’t change that state of affairs.  A possibly good arrangement is to have CEHs rotate the responsibility of meeting with the CRO, giving those not so reporting some R&R (“respite and rejuvenation”) from what might seem like onerous obligations.

Based on this model, one CEH per IT department is not enough (too onerous), whereas by definition the CRO is a singular position, a “chief”. The “C” in CEH means “certified” lets remember, so a one-to-many relationship goes with the grain of most org charts.

Rotating Top Management?

Whether the CRO position itself should rotate may be left to company politics.  In most companies I’m aware of, it’s neither common nor a goal to have chief risk officers switching hats around.  The domain knowledge for each role is considered specialized, the lid of some silo.  “Management by rotation” as a philosophy has a lot going for it however, and might be the topic of a future blog post.  Or feel free to chime in, adding comments below.


Kirby entered the world stage near the campus of the University of Chicago, where  his dad was getting a PhD in Urban Planning, and soon moved to Portland, Oregon,  a city known for its city planners.  However Jack wished a blanker canvas, a developing  country or region to work with, and the family soon moved to Rome, Italy from where  Jack could plan for Libya.  The family continued globe hopping, to the Philippines, Egypt,  Bangladesh, Bhutan, Lesotho and South Africa (where Jack died).  Kirby obtained his  BA from Princeton, under the tutelage of Richard Rorty and peers, and focusing on  the philosophy of Ludwig Wittgenstein (thesis topic).  He was always interested in  computers ]devoted many hours to their study.  Programming, along with teaching,  have been the pillars of his technical career.  He partnered with his wife to be in  1990 to form a consulting business, Dawn Wicca and Associates (DBA 4D Solutions)  which thrived until she died of invasive breast cancer (IBC) in 2007.  Kirby has two  daughters.  His mother Carol, is a world famous peace activist and his sister Julie lives in Whittier, Greater LA.  Kirby currently teaches computer programming for a variety of outfits (his resume is at Grunch.net).

Leave a Reply

Your email address will not be published. Required fields are marked *