Involving the C-suite in risk management
- By Dan Chenok, John Lainhart
- Mar 14, 2014
As the world becomes more digitized and interconnected, the door to emerging threats and proprietary data leaks has opened wider. The number of security breaches affecting enterprises across numerous industries continues to grow, seemingly every day. Once a topic restricted to the IT organization, security is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential.
Cybersecurity is a core element of risk management in today’s interconnected world. As with other elements of risk, addressing security requires a broader organizational focus than has been the case in many agencies and enterprises. To rely solely on the CIO to control all security matters is like relying on a single firewall to protect against all types of threats.
Now more than ever, each leader in an enterprise must own a significant stake in securing the data and intellectual capital that flows through an organization. The responsibilities for those security issues overlap organizational boundaries, as does the potential damage if things go wrong. For example, corporate chief marketing officers or agency program leaders who focus keenly on reputation could find themselves at risk of losing customer trust and reputation if security violations result in the loss of personal information.
Therefore, C-suite professionals need to unify their efforts in managing risks and balance responsibilities for combating security risks throughout the organization. Leaders should begin by taking three important steps toward building security intelligence:
1. Get informed. Addressing IT security risk should be part of a larger risk management framework. Such a structured approach to assessing business and IT risks includes identifying key threats and compliance mandates, reviewing existing security risks and challenges, implementing and enforcing risk management processes and common control frameworks, and executing incident management processes when crises occur.
2. Get aligned. Security does not stop at the organization's boundaries. Successful organizations implement and enforce security excellence across the extended enterprise. That means involving key stakeholders, specifically:
- Customers. Organizations must develop and communicate personal information policies, remain transparent and rapidly address privacy breaches.
- Employees. Organizations should set clear security and privacy expectations, provide education to identify and address security risks, and manage the access and use of systems and data.
- Partners. Organizations should work with their partners to develop and implement supply-chain security. They should also report on and manage risks as a normal part of business operations.
- Auditors. Organizations must coordinate with auditors to align enterprise and IT risk, contribute to controls frameworks, and conduct regular reviews of regulatory and enterprise policies.
- Regulators. Organizations must manage regulatory risks, demonstrate compliance with existing regulations, and review and modify existing controls based on changing requirements.
3. Get smart. As public and private enterprises seek to bolster their security defenses, the use of predictive analytics plays an increasingly important role. Such tools support automated risk management processes and sophisticated detection of advanced persistent threats -- critical building blocks for security intelligence. Requirements include the ability to identify previous breach patterns and outside threats to predict potential areas of attack, assess employee behavior to reveal patterns of potential misuse and monitor the external environment for potential security threats.
In our increasingly complex and interconnected world, security risks are real and increasing exponentially. Although solutions and strategies abound, there is one common denominator: Security is more than a purely technical issue. It depends on unification and input from multiple C-suite executives who can provide unique perspectives about risk, investment and preventive approaches to security issues.
A version of this article first appeared on www.businessofgovernment.org.
Dan Chenok is executive director of the IBM Center for the Business of Government, and a 2010 Federal 100 winner.
John Lainhart leads IBM's Public Sector Cybersecurity and Privacy Services.