If my client conversations are any indication, risk leaders everywhere are grappling with cyber security. Previously we observed how cyber risk has moved beyond monetary theft into data theft—opening an organization to potentially dramatic reputational risk.

Historically, risk leaders were often content to leave the cyber security problem to the IT department. A new role evolved, called Chief Information Security Officer (CISO). Securing the business rested in the CISO’s hands, and hinged on how much the business could spend to devise better cyber security.

That approach won’t suffice anymore. Why not? Because cyber criminals have moved on. They now pose threats that go beyond the IT infrastructure. Cyber criminals exploit whatever security gaps they can find.

Contrary to popular belief, cyber criminals are rarely devising brilliant code to break through the latest cyber security measures. These criminals—like any other thieves—are too opportunistic for that. Instead, when one gap closes they just poke around for a new gap.

Maybe a half-dozen years ago, cyber thieves could (and did) steal credit card data from big box stores by pointing an antenna at the store’s unsecured Wi-Fi. Once Wi-Fi security and encrypted data became the norm, criminals shifted to a new strategy—perhaps stealing an unsecured laptop from a call center professional. Or distributing spyware a bank’s associate might unwittingly install onto his networked PC. Or paying an hourly worker to take cell phone pictures of a computer screen containing social security data.

The problem isn’t always “cyber,” but it’s almost always tied to data and information theft. And, as we’ve seen, the problem is no longer confined to the IT department.

For risk managers, this is less an opportunity and more a mandate. In my next post we’ll look at how the CRO can lead the business toward comprehensive cyber security.