Gartner: CISOs must use risk to show the value of security to business goals

Risk is key to enabling IT information security professionals to engage with the business and demonstrate business value to the board, according to Gartner.

Risk is key to enabling IT information security professionals to engage with the business and demonstrate business value to the board, according to Gartner.

Information security professionals are the best placed in an organisation to help make connections between IT risk and business risk, Gartner analyst Christian Byrnes told the opening session of the Gartner security and risk management summit 2011 in London.

Chief information security officers (CISOs) can put IT at the centre of the business by making it clear they play an important role in ensuring risk stays within the range of risk accepted by the business, he said.

IT security professionals need to make it clear - to the business in general and the board in particular - that defining beneficial risk tolerances and ensuring these are not exceeded is their mission, said Byrnes.

To be successful in the next decade, IT professionals must be able to connect business and technology, he said.

Supporting the board in its role of risk supervision is a useful way to do this and raise the profile of IT within the business, said Gartner analyst French Caldwell.

"Boards are becoming increasingly interested in risk due do to regulatory pressure and overall business uncertainty," he said.

CISOs need to understand what the main risks are that boards are concerned about and what IT risks are related to those. CISOs must assess whether IT risk mitigations are adequate and look at what IT can do to support the board in its role of risk supervision.

Caldwell said the most obvious way CISOs and IT can help is by using technology to bring together different silos of risk assessment into a common system.

"CISOs should take the initiative and sit down with all the C-level executives responsible for risk to establish a common framework to enable coherent and uniform bottom-up reporting," he said.

Boards are also concerned about keeping on top of compliance with a rapidly increasing number of regulatory requirements, said Caldwell. This is where IT can help monitor activities in the organisation to provide proof corporate policies are being followed.

According to Caldwell, IT security professionals can use six risk-management techniques to make the crucial link between IT and business objectives, while helping boards achieve effective risk supervision at the same time.

"There is a shift from risk to asset-performance to risk to business-performance. CISOs can capitalise on that shift," he said.

The first step is to identify the business benefits of investments in governance risk and compliance, such as moving away from spreadsheet chaos to a single system of record.

"This will immediately help improve the efficiency of compliance programmes and help analyse risk in terms of business performance," said Caldwell. It will also help IT contribute to business value by monitoring transaction controls, for example, to stop duplicate payments.

CISOs can work with people like the CFO and supply chain leader to enable a return on investment for the business from GRC.

Second, CISOs can engage with senior executives in tackling risk silos. This is best done by identifying which executives would be affected by an IT failure, then sit down with them to decide what common way can be used to describe risk to give the board a consistent view.

"Even if there is no agreement on the residual risk of something, if everyone is using the same language, differences are much easier to resolve," said Caldwell.

Third, CISOs must report IT risk, not in terms of technology, but in terms of impact on business objectives.

If a business goal is to achieve better customer service, CISOs should report the risk of systems-failure in handling things such as customer relations, point of sale and the website.

Fourth, CIOs must demonstrate how they do things like supply risk intelligence, help with reputation management and use analytics to provide a better understanding of risk exposure.

Fifth, CISO must be careful not to waste board members' time, particularly as many corporate directors can devote only four hours a week to board business. CISOs need to find ways of communicating risk information between meetings through things like newsletters and dashboards, said Caldwell, but taking care to go through the person with responsibility for risk.

Finally, CISOs must learn to use their time in front of the board effectively. They must learn to show what they know what matters most and use the opportunity to reinforce the connections between IT performance and business performance, between IT objective and business objectives.

"This is the time for CISOs to show that risks to strategic objectives are being adequately managed and why certain strategic IT investments will be needed to get the board's support," said Caldwell.

Read more on IT risk management