Skip navigation
Up to Blog Posts in Blogs

Blogs

4 Posts tagged with the it_risk tag
centercio-admin
0

“Governance is like a diet: everybody thinks it’s a good idea, but hardly anybody does it well and nobody is successful.  Effective IT governance starts with understanding the strategic direction of the larger organization and then having a clear IT strategy—that people buy into—that aligns with that.” —University CIO

 

The topic of IT governance has always been one of great importance to the successful operation of the corporate technology function.  But in today’s environment it is even more critical for driving strategic opportunity for the business.  Well-designed and executed enterprise IT governance makes roles, responsibilities, and paths to execution transparent and creates the platform for generating business value.  Forward-thinking CIOs are exploring ways to take IT governance to the next level—to enable their businesses to pull ahead in this hyper-competitive, global business environment and position IT in a leadership role delivering technology-enabled innovation.  They are also experimenting with relaxing governance standards to foster innovation in high-growth areas of the business, by allowing the business to take responsibility for the added risk.

 

Center CIO members across industries and geographies shared their insights on the obstacles and opportunities that exist for CIOs in establishing or evolving their IT governance models and mechanisms in order to cement IT’s role as a strategic business partner.  The following themes emerged from the qualitative research:

 

  • Integration between enterprise IT governance and the larger organization’s governance structures is critically important
  • Strategic alignment and cost control are the two biggest benefits of mature IT governance
  • CIOs are working hard to figure out how to create new aspects of IT governance to support today’s business needs: innovation, speed, and agility
  • Change management is the single biggest challenge when introducing new aspects of IT governance
  • IT governance processes must be transparent and inclusive

 

Read this white paper to gain peer advice and insight on approaches that CIOs are implementing to take a leadership role in IT governance and deliver benefits to the business.

 

If you do not see the file below, click here.

910 Views 0 Comments Permalink Tags: governance, center_for_cio_leadership, it_risk, center, whitepaper, white_paper, cio_insights_research
centercio-admin
0

In an effort to share insights and advice coming out of the great conversations CIOs are having as a community, the Center launched a new and exciting six-part video series, CIO Perspectives. This series brings together leading CIOs as they discuss topics, exchange ideas and compare experiences on important topics for CIOs to enhance their impact as business leaders.

 

Listen to Harvey Koeppel, Executive Director of the Center for CIO Leadership as he leads a discussion focusing on the function of risk management with Center CIO Members, Jeanette Horan, CIO, IBM, Peter Whatnell, CIO, Sunoco, Inc., and Ron Bergmann, Vice President and CIO, Lehman College/CUNY.

 

Episode 1: CIO Perspectives | Risk Management

 

1542 Views 0 Comments Permalink Tags: risk_management, center_for_cio_leadership, harvey_koeppel, video, it_risk, center, risk, jeanette_horan, peter_whatnell, ron_bergmann
Pim van der Horst
4

IT Risk is present in most organizations and companies.  IT Risk is a "derivative risk": when an IT incident occurs, it will affect "main risks", such as continuity risk, confidentiality/privacy risk and reliability risk.  CIO's and IT directors tend to focus on technology.  However, most of the time, people and the lack of a proper IT risk framework are causing the major weaknesses and highest IT risks.

 

Organizations should start with identifying the (IT-) risks, define a risk-appetite and design appropriate measures to mitigate the risks.  New technologies emerge and the CIO should check whether they fit into the risk-appetite of the organization.  If not: new risk mitigating measures must be implemented, or the use of the new technology has to be postponed or cancelled.  The use of new technology can reduce operational costs and create a competitive advantage.  New technology has a cost itself and costs to reduce the IT risk related to the new technology.  A business case must support the implementation and use of any new technology.  Examples of new "hot" technologies are the Cloud and the iPad.

 

All participants of the roundtable agreed on two points:

- IT risk is not only for IT-people: it is a multi-discipline subject. E.g. IBM has an IT-risk committee (with all CxO's and representatives from operational departments);

- People are the weakest part in the "IT-risk/security"-chain.

 

Some measures which are proposed to manage the "human risk" are the use of social media (to engage and educate employees) and the certification of employees.  One participant suggested to link architects and security specialists together.

 

The roundtable agreed on the fact that there is a positive correlation between IT Complexity and IT Risk: the higher the complexity, the higher the risk.  So, reducing IT complexity reduces also IT Risk.  Architects can play an important role in reducing complexity.

 

Bigger companies should also think about cyber warfare departments.  Hacker communities are attacking companies when they don't agree with the company policies (e.g. credit card companies were attacked when they refused to accept Wikileaks payments).

 

I think the discussion was quite valuable.... for larger organizations.  Smaller businesses cannot afford risk-committees: they must rely on the quality of technology suppliers and IT-service suppliers.  In the Netherlands we had a very large scale security issue where a company, Diginotar, which supplied security certificates, was hacked - by hackers from Iran.  All websites from the Dutch government used those certificates.  Even Microsoft was affected.  A lot of websites had to close down for days and Diginotar went bankrupt within two weeks... (http://www.pcworld.com/businesscenter/article/239639/dutch_government_struggles_to_deal_with_diginotar_hack.html).

 

How can an organization avoid the use of non-secure certificates?  The security of Diginotar itself was a mess... Is certification of companies and people a solution?

 

The major question of the roundtable was whether IT Risk could be turned into a competitive advantage.  I think it cannot.  It will be a competitive disadvantage when the risk mitigating measures are not in place when an incident occurs. In that case a company can go bankrupt (and the owners are in a position get sued as well...).  Companies must be able to trust "IT- security" suppliers and they should define their own IT-Risk appetite with risk mitigating measures (with an allocated budget).

 

A "general" security/IT-Risk baseline (generally accepted by the market) could be of great help, especially to small- and mid-sized companies.

820 Views 4 Comments Permalink Tags: risk_management, cio_roundtable, business, it_risk, cio, security, architecture, hackers, hacking, wikileaks, diginotar, risk_appetite, risk_committee, complexity, reliability
centercio-admin
0

“The involvement of the entire organization is very important.  You have to have a policy of security and risk management so that the people are involved in the process and are being more proactive than reactive.” CIO, government finance ministry

 

Risk management is a topic of concern and priority for CIOs in all industries.  High profile attacks on customer databases and company websites have heightened the focus on information security and data protection as a core component of IT risk management.  The explosion of social media has presented CIOs with a score of concerns, from reputational risks to the brand to the dangers of unfettered employee access.  The evolving regulatory environment has created significant new demands upon enterprises and their CIOs and continues to require increased transparency and proof that these risks are being well managed.  And the call for more mobile access to corporate tools is challenging the traditional IT tactic of securing the perimeter and forcing CIOs to focus instead on end point security.

 

The Center for CIO Leadership interviewed CIO members across industries and geographies to gain their perspectives on how IT risk is changing for CIOs and what approaches CIOs are implementing to take a leadership role in risk management.  The following themes emerged from the qualitative research:

 

  • IT risk management and security processes should be integrated into overall enterprise risk management governance
  • A balanced approach to risk management is key
  • IT leaders must market IT’s risk management and security strategies in business terms
  • IT risk management and cyber security are not annual exercises
  • Continuous education is paramount
  • Risk management must be ingrained in every facet of IT strategy and management

 

Read this white paper to gain peer advice and insight on approaches that CIOs are implementing to take a leadership role in risk management and how CIOs are partnering with the entire organization on this imperative area.

 

Read the white paper attached below.  If you do not see the file below, click here.

1030 Views 0 Comments Permalink Tags: risk_management, center_for_cio_leadership, it_risk, center, whitepaper, white_paper, security, risk, cyber_security, cio_insights_research


Popular Blog Posts