One issue long under the spotlight has been the vulnerability of companies’ data to hacking attacks.
“The recent attacks on Sony by ‘Hack Anonymous’ did not have any financial value to a cyber criminal,” Price says.
“The aim was to embarrass organisations by exposing how lame their security really was. But, of course, the boards of companies don’t understand the implications of this. They may hear about cyber but they really don’t know what they mean, because it’s not their area of expertise.”
Not that anybody these days can really prevent their company from being hacked. The best you can do is to detect an intruder, find out what they took and minimise loss. In fact, according to Price, anywhere between 51 to 99 per cent of “companies of significance” are already infected by malware that is sending information from or allowing an external party access to their IT systems.
More reason, he maintains, for CIOs to identify mission critical data and to understand it from the board’s perspective; namely in terms of potential revenue loss, reduced productivity, reputational damage, share market impact, and loss of consumer confidence.
To achieve such an integrated enterprise view of information risk, Price says it’s time for CIOs to become more proactive in working with risk professionals. The upshot, he says, will be an enhanced standing of ICT at board level.
“Certainly in situations where there is no chief risk officer and the CFO looks after marketing and credit risks, operational risks should fall to the CIO,” he says.
“This is key to CIOs gaining an integrated enterprise view of risk and the elimination of organisational gaps in responsibility. It’s those gaps that the bad guys find and attack. It’s not enough to go out and buy widgets when you need them.
"Instead, there has to be an information security management framework incorporating policies and standards that people understand and are held accountable for following. Then, of course, CIOs have to architect systems such that they know the value of the information that traverses or is stored on them.”
In other words, integrating IT and information security risk management into the greater enterprise risk management needs to become a CIO imperative. One of the best ways for CIOs to obtain executive buy-in is to map the organisation’s key performance indicators (KPIs) against key risk indicators (KRIs). Because all organisations have a strategic plan, the board and company as a whole will understand KPIs, and that is the context in which KRIs need to be measured.
“Selling security or IT to a board is the same as selling anything to anybody,” Price says.
“It’s about finding out the problems they have — the needs and wants of the ‘buyer’ and providing a solution that satisfies them.”
The key, he says, is a clear explanation.
“The board understands risk, but they may not understand the IT and information security implications because to date we have not done a very good job of explaining them in terms they understand.”
Patey adds: “It’s true that in the recent past we’ve seen a significant increase in hacking and the risks associated with data loss. However, CIOs play an enormously valuable role in being able to build solutions and implement policy and procedure to reduce the risks associated with that.
The key is being able to protect through solutions that will not devalue or slow down the organisation or detract from its ability to profitably deliver services.
“It’s important not to become a doomsday prophet. Instead, you need to be able to highlight the fact that certain risks exist today, the consequences of those risks on businesses that have experienced them (such as Sony), and what can be done to prevent or mitigate them.
"Obviously you do not want the board or leadership team to become familiar with those risks by living through an actual event.”