Are You Making The Risks Clear While Keeping Up With Your C-Suite's Enthusiasm?

Your CFO comes asking you: “Are we taking advantage of the cloud”; seeing another company putting it into use, the CMO wants to know: “Do we have a mobile strategy”; or even “Why is it that our competitor is allowing its customers to register the warranty of a product using the social Id? Why is it that we are still using the traditional way?”

Does this sound familiar to you? If yes, then you are not the only one subjected to deal with this tech enlightenment, and the resultant demands coming from the C-Suite without them actually understanding the ‘what, why and how to deal with it’ part of the game. This makes it a lot easier to get the management buy-in. But, what’s tougher is dealing with the skewed knowledge that comes from limited understanding. In such a scenario what the CIO needs is being able to manage the associated risks and potential impact, while keeping up with their enthusiasm.

CFOs, CMOs, CEOs and the other C-Suite executives are beginning to understand tech much better as it becomes more pervasive, thanks to their everyday exposure to phones, tablets, social media, emerging entertainment and utility devices, etc. And, then they flip it over to IT without realising the risk-benefit analysis. The CIO’s job at this point is nothing less than walking the tight rope.

According to Kenneth Hee, Director of Business Development Enterprise Security, Asia Pacific Division, Oracle the mandate at times comes from the top management, not in terms of dictating what to do or which product to use, but rather from a user perspective having seen it used somewhere else. However, having said that, he is quick to add that even so the CIO needs to be prepared with an answer and be able to lay down clearly the benefits as well as the risks. And, that is where the tough job begins for the CIO.

While the benefits are easy to articulate, it’s the risk part that is difficult to deal with. And, here’s why:

Need To Be Ready With A Solution

For The Risk The CIO can’t be saying ‘no’ to everything just because it has some risks associated with it. Along with the problem the solution also needs to be put across on the table. There is no pressure on the CIO to adopt a particular technology on the management’s behest. But, at the same time its also pertinent to note that going on cribbing about the problem and citing that as an excuse will do no good to the CIO’s reputation in the long run, and not to mention losing on the benefits and competitive edge that new technologies can bring in with their right application within the enterprise.

Not As Simple As You Think

What further complicates risk is that there is no ‘black’ and ‘white’ as there are a lot of other issues to consider. “Risk is no longer a technical issue. There is usability and accountability that needs to be considered as part of the understanding of risk,” says Hee. Delving deeper into the ‘accountability’ factor from a security stand-point, he explains, “One needs to be clear on how to secure the part that you have control on and how to protect things that you have limited control on.

Business Vs. Technical?

A similar complication in risk articulation is making the management understand. CIOs, who usually talk in a technical language with a very technical approach towards risk, find it very difficult to make much of a dent in their understanding. This means looking at risk in a holistic manner not only in terms of Information Security risk, but also financial risk, reputational risk, etc. This means articulating the risk factors in a language that is understood by the management, i.e. business language. Even more importantly this requires the CIO to broaden his/her own perspective towards risk and view it from the entire organisational perspective: be it finance, marketing, manufacturing, supply chain, sales, etc.