CIOs Equation for Success: Managing Risk Against Investment
In a previous blog post I discussed the increased security threats targeting the oil/energy sector. This changing security threat got me thinking about an organizations’ overall risk posture and the CIOs willingness to accept a certain level of risk – whether it is from malware or a system outage or from an employee who lost a company laptop at the airport. This week I am attending Symantec’s Vision conference in Barcelona, and during my conversations with CIOs I realize that they have one of the toughest jobs in the world right now. CIOs have to understand all of the IT risks and then define the risk assessment levels for their organization, while finding the right balance between the costs paid in advance to minimize risks against the risk levels their company is willing to accept.
How ready is your organization to respond to similar attacks? Before an attack, an organization has the luxury of time to put the proper people and processes in place, along with the right technologies to limit their risk. After a security attack, the IT team has limited time to get the company back into a desired state.
With new and highly sophisticated targeted attacks, CIOs are required to answer tough questions around how much risk is the company willing to accept, and how much are executives and board members willing to pay to reduce these risks in advance. If you had a line chart and the horizontal X-axis represents the cost and the vertical Y-axis represents the risk, where does an organization find its “risk comfort zone” and how does the CIO pin point where those two lines intersect based on their organization? It can often be a struggle to strike that balance and find the sweet spot in order to be successful in minimizing risks while protecting the company.
Information drives businesses and in turn, businesses drive our economies. CIOs are faced with a huge amount of pressure today to keep an organization up and running even during the most significant attacks, power outages or disasters. Every business– from the smallest regional banks to the largest global enterprises– needs to protect and manage its information 24/7. Gone are the days of the five day work weeks. So how do organizations determine the right risk equation? The IT risks and challenges can be so overwhelming for an organization that CIOs often ask a very simple question: Where do I start?
As every business is different, CIOs first need to understand the business profile and come to a consensus with the board on the critical IT assets – email, databases, servers, etc – that must be kept up and running 24/7. Are they willing to risk business processes, people or IT? Going back to my previous blog around the recent oil/gas attacks, those companies that were attacked need to define their recover point objective for getting their systems back online in order to not slow down oil production. It is more about the recovery than the attack. Their risk is not being able to operate or produce oil and a day without oil production could mean a disruption in the global economy.
Once the CIO defines the critical IT systems and assets, they can then determine what is needed to protect them by working on a risk analysis – or gap analysis – which studies the current business risks and maps back what people, process or technologies they need to supplement current strategy.
While most organizations have some degree of security software in place, it is not always enough to protect them from the most sophisticated attacks or the other potential risks, both externally and internally. A holistic approach or a multi-layer defense in depth security strategy is needed. The thought process must be different – and bigger – than just having anti-virus and anti-spam solutions. Information protection is more than just security. Organizations need to implement data protection solutions that will help recover the systems if they go down. While technology is integral to managing risks, training employees on the security threats and how they can help prevent data loss should also be incorporated into the risk management plans. Lastly, CIOs should ensure there is an incident and emergency response procedure in place to manage an attack if/when it occurs.
Here are some questions that every CIO should ask as they develop their risk management plan:
- What level of risk is the organization willing to accept? The lower the risk, the higher the cost. The higher the risk, the lower the cost.
- What are the mission critical systems and assets? And how long can they be down without impacting business?
- What is the potential impact on reputation if the organization was attacked? What are the costs associated with data loss or data leaked from an attack?
- What is the recovery point objective?
- What are our technology investments to minimize risks?
- How much are we willing to spend to reduce our risks?
- What technologies can provide us with a competitive advantage?
- How will we manage a potential security attack if it occurs – do we have the internal expertise or do we need to outsource?
What additional questions do you pose to define your risk management plan and what are your thoughts on how you manage your company’s risks posture?