Cybersecurity is no longer just an IT problem.
As digital business evolves to include ecosystems and the open digital world, cybersecurity needs to evolve from a back-office “IT” problem to an enterprisewide business consideration. These digital business needs will be supported by technologies, and the CIO will be responsible for implementing those technologies, as well as communicating to the executive team that security must be treated just like any other risk-based discipline in the business. After all, actions like securing externally owned infrastructure and establishing digital trust with customers is tied to both cybersecurity and corporate performance.
“Business value is the best lens for CIOs to appropriately manage technology risk and cybersecurity,” says Paul E. Proctor, vice president and distinguished analyst. “CIOs engaging their peer executives to better understand the business value of IT will have more rigor and defensibility when their business case is tied to corporate performance dependencies on technology.”
There is no such thing as perfect protection
IT professionals know there is no risk-free security. Unfortunately, executives think that with enough money and staff, IT can create a risk-free security setup. In the inevitable event of a hack or data breach, the blame falls squarely on the IT professionals. CIOs need to share the narrative that appropriate levels of security balance the need to protect with the need to run the business. This will enable more manageable expectations, and turns risk and security into a business function.
Failure to assess the risks of a specific technology are parallel to business risk failures, such as a failure to complete due diligence during a merger.
In the day-to-day of business, executives often make risk-based decisions. CIOs need to get executives to expand their understanding and appetite for risk to include technologies that now support business endeavors. CIOs should frame the risk in the context of how it affects the business outcome. Once business outcomes dependent on technology are considered at risk, business and IT leaders can decide if the risk is acceptable or if another option is needed.
People are a security problem and can be a solution
It’s well-known that people are the biggest security risk, but they can actually also be a security asset. In the digital world, there has been a huge influx of technology and employee access to options such as mobile devices with company email. Old security techniques, including centralized control with mouse pads and posters with security catchphrases, are no longer efficient or sufficient means of managing security. The new approach must be designed to directly impact behavior. People are just as vital to success and failure in security as they are in risk and failure for the business. CIOs need to create a people-centric approach to security that shapes behavior.
Act on security, don’t just talk
Most risk-assessment programs are very good at appraising risks, writing reports and surveying executives, but these reports rarely influence actual decisions and, as such, have little impact on risk. Failure to assess the risks of a specific technology are parallel to business risk failures, such as a failure to complete due diligence during a merger.
Ensure that these risk assessments are simple and to the point, and deliver just enough information and defensibility to support specific decision making on a particular project. Develop a dashboard of leading technology indicators linked to business outcomes. By mapping business outcomes to technology dependencies, CIOs will be able to identify the five to nine metrics to demonstrate both the business value of IT and the appropriate status of risk and security to executives and the board of directors. These metrics will link effective technology metrics to business outcomes to improve corporate performance.