Risk Management

Involving the C-suite in risk management

Executive Team

As the world becomes more digitized and interconnected, the door to emerging threats and proprietary data leaks has opened wider. The number of security breaches affecting enterprises across numerous industries continues to grow, seemingly every day. Once a topic restricted to the IT organization, security is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential.

Cybersecurity is a core element of risk management in today’s interconnected world. As with other elements of risk, addressing security requires a broader organizational focus than has been the case in many agencies and enterprises. To rely solely on the CIO to control all security matters is like relying on a single firewall to protect against all types of threats.

Now more than ever, each leader in an enterprise must own a significant stake in securing the data and intellectual capital that flows through an organization. The responsibilities for those security issues overlap organizational boundaries, as does the potential damage if things go wrong. For example, corporate chief marketing officers or agency program leaders who focus keenly on reputation could find themselves at risk of losing customer trust and reputation if security violations result in the loss of personal information.

Therefore, C-suite professionals need to unify their efforts in managing risks and balance responsibilities for combating security risks throughout the organization. Leaders should begin by taking three important steps toward building security intelligence:

1. Get informed. Addressing IT security risk should be part of a larger risk management framework. Such a structured approach to assessing business and IT risks includes identifying key threats and compliance mandates, reviewing existing security risks and challenges, implementing and enforcing risk management processes and common control frameworks, and executing incident management processes when crises occur.

2. Get aligned. Security does not stop at the organization's boundaries. Successful organizations implement and enforce security excellence across the extended enterprise. That means involving key stakeholders, specifically:

  • Customers. Organizations must develop and communicate personal information policies, remain transparent and rapidly address privacy breaches.
  • Employees. Organizations should set clear security and privacy expectations, provide education to identify and address security risks, and manage the access and use of systems and data.
  • Partners. Organizations should work with their partners to develop and implement supply-chain security. They should also report on and manage risks as a normal part of business operations.
  • Auditors. Organizations must coordinate with auditors to align enterprise and IT risk, contribute to controls frameworks, and conduct regular reviews of regulatory and enterprise policies.
  • Regulators. Organizations must manage regulatory risks, demonstrate compliance with existing regulations, and review and modify existing controls based on changing requirements.

3. Get smart. As public and private enterprises seek to bolster their security defenses, the use of predictive analytics plays an increasingly important role. Such tools support automated risk management processes and sophisticated detection of advanced persistent threats -- critical building blocks for security intelligence. Requirements include the ability to identify previous breach patterns and outside threats to predict potential areas of attack, assess employee behavior to reveal patterns of potential misuse and monitor the external environment for potential security threats.

In our increasingly complex and interconnected world, security risks are real and increasing exponentially. Although solutions and strategies abound, there is one common denominator: Security is more than a purely technical issue. It depends on unification and input from multiple C-suite executives who can provide unique perspectives about risk, investment and preventive approaches to security issues.

A version of this article first appeared on www.businessofgovernment.org.

About the Authors

Dan Chenok is executive director of the IBM Center for the Business of Government.

John Lainhart leads IBM's Public Sector Cybersecurity and Privacy Services.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group