Security, Reconsidered

By Allan Alter  |  Posted 08-09-2007 Print Email

A narrow focus on security keeps CIOs from addressing other IT risks, says MIT's George Westerman. The solution? Adjust how CIOs think about security and develop capabilities often overlooked.

Business people know risk and return are opposite sides of the same coin; you can't have return without risk. So successful companies learn to analyze, accept and manage risk...most kinds of risk, anyway. When it comes to IT risk, organizations tend to focus on avoiding risk instead of managing it, by preventing intrusions and preparing to respond to catastrophic events. But instead of protecting companies, this approach to risk has blindsided IT to a long stream of IT disasters, from system meltdowns (Comair, Jet Blue) and stolen credit card data (TJX, CardSystems Solutions) to pilfered laptops (Veterans' Administration) and stolen data (U.S. Department of Transportation). Putting IT security back in the context of risk management has been the focus of George Westerman's work.

Dr. George Westerman is a research scientist at the Center for Information Systems Research (CISR) at the MIT Sloan School of Management and co-author, with Richard Hunter, a group vice president at Gartner, of the new book IT Risk: Turning Business Threats Into Competitive Advantage (Harvard Business School Press, August 2007; 256 pages, $35). "When I first joined the Center for Information Systems Research, it was right after 9/11, it was right after these major worms had hit, and different security issues and Sarbanes-Oxley were hitting at the same time," says Westerman. "People kept asking us questions about risk, and we didn't have a good answer on what risk means to the organization." The book is the culmination of five years' thinking and research devoted to IT risk management, and on finding a way to flip the coin and turn IT risk into business gain. CIO Insight Executive Editor Allan Alter asked Westerman what he learned during that past half-decade. The following is an edited version of their conversation.

CIO INSIGHT: Our research studies have found many IT executives believe they take an enterprise risk management approach to security. Do they, or are they fooling themselves?
WESTERMAN: We haven't seen a lot of firms that take a full, holistic view of risk. Risk has four elements we call the four A's: Availability, keeping the systems and the processes running. Access, making sure the right people have information and the wrong people don't. Accuracy, making sure the information we have is accurate and timely and complete. Agility, is IT helping or hurting an organization's ability to make major strategic changes? Yes, IT security is a big element of those four risks, but this holistic view is different from talking about risk in terms of silos like continuity, security and regulations. It means thinking about risk in terms of tradeoffs among the four business risks that are most affected by IT, rather than in terms of silos. While it's very hard for a businessperson to engage in a discussion of the importance of strong authentication or encryption, we can engage the business executive in the question of which processes are most important, and what is the business impact of having an availability problem in this process. We can have similar discussions about access, accuracy and agility. Tektronix, a big electronics equipment manufacturer, wanted to do a major corporate restructuring back in the late Nineties, and it turned out they couldn't: To spin off one of their major divisions, they would have had to give a copy of basically every system in the organization to the buyer. They actually had to put an ERP system in place, spending over $50 million in three years, just to disentangle the system so they could do acquisitions and divestitures. That's a major, major agility issue.

I think we in IT have always known these things, and many of the conversations we have with business executives have been about risk. But because we tend to talk about risk in these technical silos, it appears IT is standing in the way of thinking about security as risk. This is not about failures in IT; IT people ask good questions on risk and try to put good procedures in to manage risk, although we call those procedures standards, governance, architecture. But we often have trouble making our case for investment and changing behavior when we are dealing with the business.



 

Submit a Comment

Loading Comments...
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date