Risk Management and Information Security

When it comes to information security and risk management, the end of term report for most CIOs is pretty conclusive: could do better. The description comes from Mark Chaplin, Principal Research Analyst at the Information Security Forum (ISF)

When it comes to information security and risk management, the end of term report for most CIOs is pretty  conclusive: could do better. The description comes from Mark Chaplin, Principal Research Analyst at the Information Security Forum (ISF), an independent association representing many of the world’s leading firms. Chaplin helps the organisation produce a series of reports and standards, and is an expert in educating IT leaders about how to deal with the ever-changing threat environment.

 

His research leads him to suggest that most CIOs still have an awful lot to learn about information risk management. The need for such awareness becomes even more acute in a modern era of technological development, which means businesses must balance the opportunities of collaborative operations against the risks of cyber terrorism.

 

“I don’t think any executive can be totally ready for the range of information security threats,” he says. “This is a fast changing-world, where business objectives move dynamically alongside strategies and technologies, producing new expectations inside and outside the organisation.”

 

How can CIOs become information experts?

 

CIOs, says Chaplin, have traditionally been concerned with the management of technology. The technical-based emphasis of the role is reducing, such that the more effective IT leaders are now responsible for the value of organisational information.

 

“There are CIOs who are working effectively with the business to produce successful information management strategies at the boardroom level,” says Chaplin. “These leaders have the ear of the chief executive and they truly understand the significance of information risk.” He argues an awareness of risk is absolutely fundamental for the modern CIO. Other c-suite executives have an understanding of risk and can articulate the need to make crucial business decisions, sometimes without a lack of clear information.

“Some threats are on the radar and require the CIO to deal with risks on a daily basis,” explains Chaplin. “Other risks are below the radar and more difficult to deal with, and some are black swans that could have a catastrophic effect.”

He points to the Japanese earthquake in March 2011 and related concerns at the stricken Fukushima nuclear plant. The combined effects on society and economy, including supply chain processes, became manifest as a cluster threat, where a number of circumstances came together with appalling and completely unforeseen consequences.

Risk must be placed within the wider business context, where the potential impact of an information and security threat is understood only in relation to wider financial, operational and customer service concerns. CIOs need to explain how much loss the business, in the event of a low or high impact event, can be expected to shoulder.

So, for example, would the loss of a network in part of Southeast Asia be catastrophic at a global business level? A CIO that is able to communicate the risk in terms the business canquickly comprehend is in a great position.  “That’s a powerful statement,” says Chaplin, who urges IT leaders to avoid thinking of IT security in purely point-based solution terms and to instead empower fellow executives with useful business information. “Understand what your audience wants and recognise that, when it comes to reporting the facts, different areas of the business need specific types of knowledge.”

 

What should IT leaders do next?

 

Chaplin believes context is also absolutely crucial to understanding the current “hot buttons” within the technology industry, such as consumer IT and cloud computing. Such trends will continue to affect the organisation but Chaplin urges CIOs to not get too over-involved in the vendor hype.

“Don’t cry wolf to the business,” he says. The ISF addresses such concerns through its annual Threat Horizon report. Starting in 2006, the research identifies the key areas of risk to business, both within and beyond the information security remit. Chaplin says key themes CIOs will need to address during the next two years include protectionism, breach identification and mobile technology.

“Consumerisation is here, yet debates continue about the potential risk,” he says. “Some CIOs are embracing the trend and others are relying on an avoidance strategy. But consumerisation is going to impact your business whether you like it or not. You simply must prepare.” Chaplin says: “IT leaders should again analyse the threats and opportunities associated to themes, like consumerisation and the cloud, within the wider context of business operations. Don’t be too reactive and get too caught up in the marketing bluster.”

 

“Be proactive, go to the board and explain what on-demand technology means in business terms. Make sure you have the information to explain why the cloud is nothing to worry about.”

 

Think about how you can add value as you start to think about the future of your organisation’s operations. As you think about the future, you will need some sort of model to help guide your thinking.”

 

The ISF addresses such concerns through its annual Threat Horizon report. Starting in 2006, the research identifies the key areas of risk to business, both within and beyond the information security remit. Chaplin says key themes CIOs will need to address during the next two years include protectionism, breach identification and mobile technology.

“Consumerisation is here, yet debates continue about the potential risk,” he says. “Some CIOs are embracing the trend and others are relying on an avoidance strategy. But consumerisation is going to impact your business whether you like it or not. You simply must prepare.” Chaplin says: “IT leaders should again analyse the threats and opportunities associated to themes, like consumerisation and the cloud, within the wider context of business operations. Don’t be too reactive and get too caught up in the marketing bluster.”

“Be proactive, go to the board and explain what on-demand technology means in business terms. Make sure you have the information to explain why the cloud is nothing to worry about.”