A New World of IT Risks: Are CIOs Up to the Challenge?

by Irfan Saif

CIOs, along with security and compliance teams, are often responsible for managing risk across the enterprise IT environment while taking steps to be sure that the business is being served appropriately. The disruptive forces of cloud computing, social media, and mobility are all hitting CIOs at the same time, introducing a broad, new set of risks and security challenges.

You may be pressured by a strong desire from your business counterparts to rapidly adopt nascent or rapidly evolving technologies and solutions in order to compete in your marketplace. In some cases, this need for speed even leaves the IT leaders out of the discussion altogether until after the services or applications have been procured or deployed.

This rapidly evolving enterprise technology environment makes it more important than ever for CIOs to get a handle on what the real risks are within your IT ecosystem. How do these risks impact your business and your IT department's three pillars of confidentiality, integrity, and availability? What is IT going to do to manage these risks?

The problem is made more complex by the sheer volume — and value — of data, both structured and unstructured, that is produced by your organization's business processes and relied upon for much of your company's decision-making practices. Add in the skills and resourcefulness of cyber criminals, hackers, corporate spies, intellectual property pirates and the underground network of “service providers” who support their activities, and the complexity of the challenges you face starts to become apparent.

One thing is clear -- the compliance-based approach that so many enterprises have chosen in the past is often not a practical way to manage the real risks facing CIOs.

Consider these recent developments, which will only intensify in 2011:

1. Mobile devices: Smartphones, PDAs, laptops, notebooks, and tablets—any Web-enabled device—opens new avenues of attack on systems and data. Remote wipe and local encryption, for example, are standard countermeasures, but what about employees or contractors using unauthorized devices? What about the CEO who demands mobile flexibility? How does one prevent user-driven risks, such as connecting to illicit access points or downloading and using malicious applications on these mobile platforms -- which could potentially compromise corporate information or systems?
2. Social media: Businesses of all sizes are working to harness social media platforms, although without the right guidance and understanding, these technologies can potentially pose many new risks to the business. Such sites have the potential to provide attackers with access to personal and corporate data. You and your teams must help educate management and your business users about social media risks and benefits, to help take advantage of these technologies in the right way.
3. Cloud computing: One of most rapidly growing elements of enterprise IT, cloud computing can provide numerous benefits, including increased flexibility, reduced costs, and robust security and compliance. Key decisions require you to analyze the benefits, costs and risks of maintaining certain IT capabilities, such as server farms or specialized applications, internally or externally. Even when cloud services make sense, however, providers may not assume liability for certain damages associated with system breaches or data loss, such as harm to a company's reputation, brand, and intellectual property. The responsibility for protecting these core attributes usually falls to the CIO.