How can CIOs strike a balance between security reduction and accepting risk?

How can CIOs strike a balance between security reduction and accepting risk?

According to the latest Gartner CIO insights Agenda Report, investment priorities for CIOs are changing. Recently, security has been falling down in the list of highest priorities in favour of analytics, business intelligence, infrastructure cloud and mobile. At a first glance, this is understandable – it is far more logical for businesses to make investments in areas which will give them a high or immediate return. Information security has never been one of these areas. Spending more money on traditional protection techniques - like firewalls, email security tools and web filtering appliances, makes it all too easy to view security as a preventative investment rather than a tangible benefit.

However, this does not necessarily have to be a bad approach to cyber threats. As Gartner’s figures show, many CIOs already recognise that a more nuanced approach to security may be a more effective way of managing risk long term. In practice, this approach begins with a clearer understanding of cyber security risks and what they could really mean for a business.

Security professionals should see themselves as enablers of the business, be present from the beginning, and seek to protect the most important assets before and after breaches. But information security risks should be viewed as manageable and no greater a problem than other forms of business risk. In other words, security risk management requires accepting that certain risks will always persist and certain breaches will always occur, so businesses should have a strategy in place for dealing with them when they do. Rather than focusing on threat reduction, many CIOs are focusing today on threat education.

The first step to managing risk is to understand it. Therefore, the first step to effective risk management is to identify immediate risks to your business and educate the board and your seniors on what these are and what they could mean. Effective risk management is everyone’s responsibility. A data breach can cause huge financial and reputational damage, and CxOs and line-of-business employees should understand potential costs and likely steps in the event of a leakage.

Some organisations use incident or crisis simulation to help with this. This not only exposes any blind spots, it also can leave teams feeling more confident and better prepared for breaches should they occur.

The second step is to understand that risk management does not stop just because you have an agreed method of response. Just as the cyber threat evolves, so should the governance and policies associated to it. While a senior executive should lead attempts to modify the risk management strategy, everyone across the organisation should be able to contribute suggestions and help the business create the best possible coping mechanisms. Remember that the wider business strategy can change quickly. Growth into new markets can lead to new financial and informational risks. The use of digital technology, such as social media and the cloud, can also have an impact. Your risk management strategy must scale with your business’ appetite for growth.

Finally, consider the fact that risk appetite between business units can vary widely. For this reason, security policies need to allow for the acceptance of a certain amount of risk in order to maintain cohesion within the organisation. Security breaches can and do happen, and just as important as preventing it, is having an agreed process in place to deal with it when it occurs, based on an understanding of what’s involved. Risk management should be part of a holistic program to assess risk appetite, apply risk management principles and finally, educate the business that a realisation of a risk is not a failure but a validation of an agreed process.