The CIO’s New Relationship with IT Risk
– Christian Byrnes, Managing VP, Gartner, Paul Proctor, VP and Distinguished analyst, Gartner
As businesses depend more on technology and security threat levels increase, CIOs must reset their approach to IT risk.
You return from a quick lunch expecting to see the usual beehive of activity in the areas between reception and your office. Instead you see and hear a low buzz of consternation and no one seems to have their fingers on a keyboard or their eyes on their computer screen. All of the computer and communications hardware is there. Nothing you can see is out of place. But the software and the data are gone. Totally gone from every computer and disk drive in the company.
Congratulations. Yours is the fourth company in the world to experience the latest style of hacker attack.
Managing Risk Outside the Perimeter
Two major changes face CIOs and their risk and security teams. The first is that mobile, social and cloud move business data and processes outside of the perimeter, and outside of traditional enterprise control. The second is that these are dynamic environments with no stability or predictability. Managing appropriate levels of risk in this environment will require a new approach. Yesterday it was a new tablet; tomorrow some vice president will ask for email on her new Google Glass.
“Often today, business units accept risk, CIOs are aware of it, and CISO’s really worry about it.”
By 2020, security will no longer be an IT problem, it will be a business problem, driven by a combination of increased business level dependence on technology and the inevitable increase in threat level and complexity. Smart CIOs get business executives involved early and establish cyber risk as a key operational risk to the business. In fact, one out of three CISOs already report outside of IT.
How should CIOs help their organizations innovate for digital business while building necessary and appropriate risk controls that the business will follow?
It’s Time to Reset Enterprise Security
To combat the new challenges, security and risk teams are resetting how they deliver value. Procurement teams develop contracts that improve security agreements with cloud vendors, and security managers improve data classification schemes to make sure that critical data is never unprotected in the cloud. Organizations supplement traditional security approaches with new tools, including context-based algorithms for identity management, data isolation through mobile containers, rights management tools and new monitoring capabilities that all enable business benefits while limiting risk.
New Risk Requires People-Centric Security
But this dilution of control also requires innovative methods for managing risk in the enterprise. Eventually, technology will be so natural and pervasive that you won’t even need to hold it in your hands. Knowledge workers of the future will have all of their company, job, family and personal details in a virtual world that is available through any device or app. People will have access anywhere and anytime, so the definition of perimeter will continue to evolve. Vast amounts of information will be collected and processed using the real-time application of constant and pervasive analytics.
In other words, people are empowered. Risk and security professionals can’t take that away from them, but they can influence behavior. Gartner is pioneering a technique we call “people-centric security,” or PCS, which is the integration of information security and the social sciences. It focuses on encouraging people to make better security decisions by giving them a set of rights and responsibilities, rather than by trying to control them with dictatorial policies and controls.
For example, users are given the right to connect their iPads to corporate email, which makes their lives easier, but they are also given responsibilities, such as not storing sensitive data on that iPad. If they violate the responsibility, they lose the right and the convenience of using it for company mail. Essentially, they are motivated to do the right thing for reasons that are meaningful to them.
Influence Business Decision-Making
With frequent news of big brand breaches and hacks, non-IT interest in IT risk and security, particularly by boards of directors, has been on the rise. Use the power of risk management and security to influence business decision-making.
The company’s new relationship with risk means accepting that risk and security professionals no longer:
Seek to prevent every possible threat; they assess and prioritize risks to support conscious choices about what will — and will not — be done to address threats.
Are buried deep in IT; they understand the impact IT risk has on business outcomes.
Rely exclusively on smart people who know what to do; they formalize their programs with repeatable, survivable and measurable processes.
The last decade has seen the penetration of information technology and Internet communications into every aspect of business. Along with that rise have come risks. Those risks can no longer be ignored. Managing risk to protect corporate operations is nothing new. Business executives and managers just need to add one more class of risk to the managed portfolio. Quickly.