A narrow focus on security keeps CIOs from addressing other IT risks, says MIT's George Westerman. The solution? Adjust how CIOs think about security and develop capabilities often overlooked.
Dr. George Westerman is a research scientist at the Center for Information Systems Research (CISR) at the MIT Sloan School of Management and co-author, with Richard Hunter, a group vice president at Gartner, of the new book IT Risk: Turning Business Threats Into Competitive Advantage (Harvard Business School Press, August 2007; 256 pages, $35). "When I first joined the Center for Information Systems Research, it was right after 9/11, it was right after these major worms had hit, and different security issues and Sarbanes-Oxley were hitting at the same time," says Westerman. "People kept asking us questions about risk, and we didn't have a good answer on what risk means to the organization." The book is the culmination of five years' thinking and research devoted to IT risk management, and on finding a way to flip the coin and turn IT risk into business gain. CIO Insight Executive Editor Allan Alter asked Westerman what he learned during that past half-decade. The following is an edited version of their conversation.
CIO INSIGHT: Our research studies have found many IT executives believe they take an enterprise risk management approach to security. Do they, or are they fooling themselves?
WESTERMAN: We haven't seen a lot of firms that take a full, holistic view of risk. Risk has four elements we call the four A's: Availability, keeping the systems and the processes running. Access, making sure the right people have information and the wrong people don't. Accuracy, making sure the information we have is accurate and timely and complete. Agility, is IT helping or hurting an organization's ability to make major strategic changes? Yes, IT security is a big element of those four risks, but this holistic view is different from talking about risk in terms of silos like continuity, security and regulations. It means thinking about risk in terms of tradeoffs among the four business risks that are most affected by IT, rather than in terms of silos. While it's very hard for a businessperson to engage in a discussion of the importance of strong authentication or encryption, we can engage the business executive in the question of which processes are most important, and what is the business impact of having an availability problem in this process. We can have similar discussions about access, accuracy and agility. Tektronix, a big electronics equipment manufacturer, wanted to do a major corporate restructuring back in the late Nineties, and it turned out they couldn't: To spin off one of their major divisions, they would have had to give a copy of basically every system in the organization to the buyer. They actually had to put an ERP system in place, spending over $50 million in three years, just to disentangle the system so they could do acquisitions and divestitures. That's a major, major agility issue.
I think we in IT have always known these things, and many of the conversations we have with business executives have been about risk. But because we tend to talk about risk in these technical silos, it appears IT is standing in the way of thinking about security as risk. This is not about failures in IT; IT people ask good questions on risk and try to put good procedures in to manage risk, although we call those procedures standards, governance, architecture. But we often have trouble making our case for investment and changing behavior when we are dealing with the business.