3 Steps for Mitigating IT Risks

By Irfan Saif  |  Posted 03-11-2011

A New World of IT Risks: Are CIOs Up to the Challenge?

by Irfan Saif

CIOs, along with security and compliance teams, are often responsible for managing risk across the enterprise IT environment while taking steps to be sure that the business is being served appropriately. The disruptive forces of cloud computing, social media, and mobility are all hitting CIOs at the same time, introducing a broad, new set of risks and security challenges.

You may be pressured by a strong desire from your business counterparts to rapidly adopt nascent or rapidly evolving technologies and solutions in order to compete in your marketplace. In some cases, this need for speed even leaves the IT leaders out of the discussion altogether until after the services or applications have been procured or deployed.

This rapidly evolving enterprise technology environment makes it more important than ever for CIOs to get a handle on what the real risks are within your IT ecosystem. How do these risks impact your business and your IT department's three pillars of confidentiality, integrity, and availability? What is IT going to do to manage these risks?

The problem is made more complex by the sheer volume -- and value -- of data, both structured and unstructured, that is produced by your organization's business processes and relied upon for much of your company's decision-making practices. Add in the skills and resourcefulness of cyber criminals, hackers, corporate spies, intellectual property pirates and the underground network of "service providers" who support their activities, and the complexity of the challenges you face starts to become apparent.

One thing is clear -- the compliance-based approach that so many enterprises have chosen in the past is often not a practical way to manage the real risks facing CIOs.

Consider these recent developments, which will only intensify in 2011:

  1. Mobile devices: Smartphones, PDAs, laptops, notebooks, and tablets--any Web-enabled device--opens new avenues of attack on systems and data. Remote wipe and local encryption, for example, are standard countermeasures, but what about employees or contractors using unauthorized devices? What about the CEO who demands mobile flexibility? How does one prevent user-driven risks, such as connecting to illicit access points or downloading and using malicious applications on these mobile platforms -- which could potentially compromise corporate information or systems?
  2. Social media: Businesses of all sizes are working to harness social media platforms, although without the right guidance and understanding, these technologies can potentially pose many new risks to the business. Such sites have the potential to provide attackers with access to personal and corporate data. You and your teams must help educate management and your business users about social media risks and benefits, to help take advantage of these technologies in the right way.
  3. Cloud computing: One of most rapidly growing elements of enterprise IT, cloud computing can provide numerous benefits, including increased flexibility, reduced costs, and robust security and compliance. Key decisions require you to analyze the benefits, costs and risks of maintaining certain IT capabilities, such as server farms or specialized applications, internally or externally. Even when cloud services make sense, however, providers may not assume liability for certain damages associated with system breaches or data loss, such as harm to a company's reputation, brand, and intellectual property. The responsibility for protecting these core attributes usually falls to the CIO.

3 Steps for Mitigating IT Risks

How can CIOs raise the priority of information security in management's eyes? How can you improve the deployment of IT risk-management resources and develop proactive, cost-effective solutions to identify and manage the real risks without impacting the business? Here are three concrete ways to go about it:

  1. Educate management about cyber threats: Focus management on the benefits and the risks that new technologies pose to the business. If you have addressed the relevant compliance and regulatory requirements, assure your senior executives that these issues are under control. But, also be sure to point out that compliance and regulatory adherence are only two components of risk management. Careful user education, access, system, and vendor management, and system monitoring are also needed to address the full range of risks. Whenever possible, translate cyber threats into what they'll mean for the business, the company's strategy, and its financial status. Educate your management on the dangers facing the company's reputation, brand, and intellectual property.
  2. Show how cyber security supports the business: A full-spectrum cyber security capability requires attention and commitment from senior executives. Cyber security is a key element of risk management and is best addressed within this context. Use case studies and other examples to illustrate your points. At a minimum, this approach anchors cyber security as a line item in the risk management budget, and potentially as an agenda item at board meetings. Raising awareness in the upper reaches of the organization is just one part of the CIO's job. You also need to choose security solutions that minimize the complexity and time it takes for your end users to perform security-related tasks. This will reduce the probability of human error.
  3. Know what's going on in your IT environment: Cyber threat management comes down to awareness of what's going on in your environment.  It means understanding IT risks and how they manifest themselves. As CIO, you and your teams must maintain high awareness of the components, functions, and uses of IT in the organization. Only then can IT proactively mitigate risks. For example, system and information event management, coupled with external information from intelligence feeds, can help detect log-ins from vulnerable sites. Huge amounts of information exist. The key is to sift the relevant data out from the surrounding noise, organize that information and enhance it with additional intelligence to allow for more robust management of the IT environment.

The road ahead poses significant challenges for CIOs, particularly as it relates to the combination of cyber threats, new technologies, and the launch of new programs designed to tackle them. By moving away from a strictly compliance-driven approach, CIOs can take a strategic, pragmatic view of the real risks impacting their enterprises. Educating your business counterparts and teaming with them will put your organization in a position to tackle these risks holistically. Surely you're up to the challenge.

Irfan Saif is a principal in the Deloitte & Touche LLP Security & Privacy practice.