Risk Management

Involving the C-suite in risk management

Executive Team

As the world becomes more digitized and interconnected, the door to emerging threats and proprietary data leaks has opened wider. The number of security breaches affecting enterprises across numerous industries continues to grow, seemingly every day. Once a topic restricted to the IT organization, security is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential.

Cybersecurity is a core element of risk management in today’s interconnected world. As with other elements of risk, addressing security requires a broader organizational focus than has been the case in many agencies and enterprises. To rely solely on the CIO to control all security matters is like relying on a single firewall to protect against all types of threats.

Now more than ever, each leader in an enterprise must own a significant stake in securing the data and intellectual capital that flows through an organization. The responsibilities for those security issues overlap organizational boundaries, as does the potential damage if things go wrong. For example, corporate chief marketing officers or agency program leaders who focus keenly on reputation could find themselves at risk of losing customer trust and reputation if security violations result in the loss of personal information.

Therefore, C-suite professionals need to unify their efforts in managing risks and balance responsibilities for combating security risks throughout the organization. Leaders should begin by taking three important steps toward building security intelligence:

1. Get informed. Addressing IT security risk should be part of a larger risk management framework. Such a structured approach to assessing business and IT risks includes identifying key threats and compliance mandates, reviewing existing security risks and challenges, implementing and enforcing risk management processes and common control frameworks, and executing incident management processes when crises occur.

2. Get aligned. Security does not stop at the organization's boundaries. Successful organizations implement and enforce security excellence across the extended enterprise. That means involving key stakeholders, specifically:

  • Customers. Organizations must develop and communicate personal information policies, remain transparent and rapidly address privacy breaches.
  • Employees. Organizations should set clear security and privacy expectations, provide education to identify and address security risks, and manage the access and use of systems and data.
  • Partners. Organizations should work with their partners to develop and implement supply-chain security. They should also report on and manage risks as a normal part of business operations.
  • Auditors. Organizations must coordinate with auditors to align enterprise and IT risk, contribute to controls frameworks, and conduct regular reviews of regulatory and enterprise policies.
  • Regulators. Organizations must manage regulatory risks, demonstrate compliance with existing regulations, and review and modify existing controls based on changing requirements.

3. Get smart. As public and private enterprises seek to bolster their security defenses, the use of predictive analytics plays an increasingly important role. Such tools support automated risk management processes and sophisticated detection of advanced persistent threats -- critical building blocks for security intelligence. Requirements include the ability to identify previous breach patterns and outside threats to predict potential areas of attack, assess employee behavior to reveal patterns of potential misuse and monitor the external environment for potential security threats.

In our increasingly complex and interconnected world, security risks are real and increasing exponentially. Although solutions and strategies abound, there is one common denominator: Security is more than a purely technical issue. It depends on unification and input from multiple C-suite executives who can provide unique perspectives about risk, investment and preventive approaches to security issues.

A version of this article first appeared on www.businessofgovernment.org.

About the Authors

Dan Chenok is executive director of the IBM Center for the Business of Government, and a 2010 Federal 100 winner.

John Lainhart leads IBM's Public Sector Cybersecurity and Privacy Services.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.


  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above