New mantra of CIO’s success: Managing risk against investment

Anand NaikSymantec

Constant change in the threat landscape makes the CIO’s job one of the toughest in the world. CIOs have to assess all of the IT risks and then define the risk assessment levels for their organization, while finding the right balance between the costs paid in advance to minimize risks against the risk levels their company is willing to accept. Before an attack strikes an organization, there exists luxury of time to put the proper people and processes in place, along with the right technologies to limit their risk. After a security attack, the IT team has limited time to get the company back into a desired state.

Finding the perfect balance
If you had a line chart and the horizontal X-axis represents the cost and the vertical Y-axis represents the risk, where does an organization find its “risk comfort zone” and how does the CIO pin point where those two lines intersect based on their organization? It can often be a challenge to strike that balance and find the right balance in order to be successful in minimizing risks while protecting the company.

Information drives businesses and in turn, businesses drive our economies. CIOs are faced with a huge amount of pressure today to keep an organization up and running even during the most significant attacks, power outages or disasters. Every business– from the smallest regional banks to the largest global enterprises– needs to protect and manage its information 24/7, Gone are the days of the five day work weeks.

What must CIOs do do carve out a risk management plan?
As every business is different, CIOs first need to understand the business profile and come to a consensus with the board on the critical IT assets – email, databases, servers, etc. – that must be kept up and running 24/7. Organizations need to define their recover point objective for getting their systems back online in order to not slow down their production. It is more about the recovery than the attack.

Once the CIO defines the critical IT systems and assets, they can then determine what is needed to protect them by working on a risk analysis – or gap analysis – which studies the current business risks and maps back what people, process or technologies they need to supplement current strategy.

Some of the points that a CIO can consider are:
•Identifying the level of risk is the organization willing to accept. The lower the risk, the higher the cost. The higher the risk, the lower the cost.
•Listing the mission critical systems and assets and how long can they be down without impacting business
•Understanding the potential impact on reputation if the organization was attacked and the costs associated with data loss or data leaked from an attack
•Assessing the level of technology investments to minimize risks

The Final Word
While most organizations have some degree of security software in place, it is not always enough to protect them from the most sophisticated attacks or the other potential risks, both externally and internally. A holistic approach or a multi-layer defense in depth security strategy is needed. The thought process must be different – and bigger – than just having anti-virus and anti-spam solutions. Information protection is more than just security. Organizations need to implement data protection solutions that will help recover the systems if they go down. While technology is integral to managing risks, training employees on the security threats and how they can help prevent data loss should also be incorporated into the risk management plans. Lastly, CIOs should ensure there is an incident and emergency response procedure in place to manage an attack if/when it occurs.