Kim Andreasson, advisor to the United Nations since 2003, explains how CIOs can influence boardroom thinking on global data threats.
Cybersecurity has evolved. Once, it was just a threat to an organization’s technology. Now, it is a significant risk that can disrupt enterprise-wide operations and endanger vital information.
This change has an important impact on today’s CIOs. They must assess the potential impact that cyber threats can have on operational risk, but also communicate this properly to other senior executives – many of whom will not be so well versed in cyber issues.
To determine the full extent of the risks, one must first understand the global cyber ecosystem. This can be challenging.
Complex supply chains and outsourcing to third-party data providers mean that threats and vulnerabilities can arise in unlikely places, as attackers often target the weakest areas of the perimeter wall.
For example, an American bank was defrauded of several millions of dollars in 2013 after hackers infiltrated a company in the Middle East on which the bank relied to help process its information.
The rise of cloud and mobility solutions adds another level of complexity to a CIO’s technology transformation and security management responsibilities. While these systems are vital for enabling more responsive and customer-centric businesses, they bring new challenges too. For example, only a fraction of executives seem to know where their data is physically stored and what security measures are in place to protect it. (In fact, 85% of cloud services are currently provided by US firms.)
As well as thinking through areas of weakness and vulnerability, an organization must also consider the type of data that it is trying to protect, and its value to the cyber criminals.
This information may not even be held within the IT department – it could be stored by the R&D function. But a wise CIO takes the lead on measuring cyber risk relative to the impact it would have on core business, and then communicates this in clear terms to the boardroom.
As EY’s 2014 Global Information Security Survey highlights, this issue is not recognized clearly enough in the boardroom.
Nearly 80% of CIOs or IT departments have the information security function reporting directly to them, compared with just 14% reporting directly to the CEO. CIOs clearly hold the responsibility to communicate the risks associated with cyber threats to the rest of the leadership team in a manner they will understand, so that they take the appropriate actions.
This is a key responsibility. Recently, a friend of mine who oversees IT operations across numerous countries developed a checklist of KPIs to track cybersecurity in multiple jurisdictions.
This soon grew into an audit covering hundreds of different measurements, which he duly reported upward. But it was too technical, and the other executives simply didn’t understand what the measurements meant.
To overcome this, he consolidated the indicators into a set of relevant themes and translated IT metrics into language relevant to the business.
For example, instead of reporting the technology issue – e.g., “Port SMTP 25 is open” – he instead color-coded “computer vulnerability” as yellow for “attention needed,” green for “ok” or red for “warning.” This simple switch fundamentally changed executive engagement on the issue, giving it far greater resonance.
Of course, CIOs need to recognize that cybersecurity is only one aspect of organizational risk. There are times when cyber risk may top the agenda, and CIOs should rightly be flagging this up, but there are other risks, for example when social unrest may be affecting a local operation, which may be far more worrying to an organization than keeping its IT systems safe. However, cybersecurity and cyber risks are a constant issue, and the threats continue to be more sophisticated and persistent, so they deserve their place as a constant agenda item.
Explaining all this in simple terms goes a long way to ensuring that the boardroom finally listens.
Kim Andreasson is also the editor of Cybersecurity: Public Sector Threats and Responses.