Thoughts on IT Risk Management
Another week, another report painting a mottled picture of corporations and their approach to IT risk and compliance. This time around we have interesting points to explore about the pandemic’s effect on IT risk, how companies are responding to that pressure, and who is or isn’t in charge of all this stuff.
The report is MetricStream’s 2021 IT Risk and Compliance Survey, which polled 189 risk and compliance officers about their approach to IT risk. The report is worth reading for CISOs or compliance officers who have privacy or data security issues as part of their purview.
The first big theme, which should surprise nobody, is that the pandemic delivered a mighty kick in the rear to IT risk management. For example, 39 percent of respondents said their companies will increase spending on IT risk management in the wake of the pandemic. More spending on what, exactly? The report listed three top investment priorities:
- IT security solutions
- Tools for better regulatory compliance
- Better aggregation and reporting of IT security data
That squares with what we know about the pandemic. Namely, criminal organizations ramped up their attacks on corporate organizations, because so many businesses were in, ahem, “security disarray” as everyone rushed to have employees work remotely. So corporations need stronger security defenses, and tools to help them understand their compliance posture in such a fractured IT landscape.
Second, companies are racing to align IT risk management with operational and enterprise risk management. So said 72 percent of respondents.
To put things more plainly: corporate leaders now understand that just about every business objective and process they have depends on IT working properly. So they have to govern all risks in a coordinated way, or else all those lofty operational goals will get derailed by an under-resourced or ineffective cybersecurity function.
Third, we still have an unclear picture of exactly who is responsible for IT risk management. The single most common executive was the CISO, cited by 29 percent of respondents. But as you can see from Figure 1, below, the answers were quite diverse.
What observations about IT risk can we draw from all this? I have a few ideas.
Pandemic’s Impact on IT Risk
First, this report can help CISOs and compliance officers really understand how the pandemic transformed IT risk — and we need to understand what happened, before we can build effective responses to what happened.
Let’s start with what everyone already knows: COVID-19 caught corporations unprepared last year. They responded by having as many employees as possible work remotely until further notice. Now it’s clear that a large portion of the workforce will continue in some hybrid model, where they spend at least part of their time working remotely; and some smaller portion of the workforce will work remotely forever.
Those might be wise responses to our changed public health risk, but they have profound implications for IT risk.
How so? Once employees moved to remote work, CISOs lost a lot of control over exactly what those employees do. The IT assets those employees use — the devices, the software, the data, the network access points — are all beyond a CISO’s physical reach, and are at the farthest end of a CISO’s technological reach, too.
That’s forcing the CISO to pay more attention to IT governance, and to pay attention in new ways. For example, in pre-pandemic days you could require employees to work in the office, on company-issued devices, running company-approved software, on company-secured networks. You didn’t need to worry as much about IT risk because so much of your environment could be tightly controlled.
That’s all gone. Now CISOs have to think about how to keep corporate systems working — in a secure manner, and in compliance with all the usual regulatory requirements — in a much more loosely controlled IT environment. Even a task as simple as tracking all the IT devices accessing your data becomes much more complicated.
So CISOs need new tools (say, for monitoring access to confidential data, or automating the provisioning and de-provisioning access to data); and new policies (“No installing third-party apps on company-issued iPads! And if you do work on your personal iPad, we reserve the right to wipe all the data remotely!”).
The challenge isn’t so much about keeping attackers from scaling the firewall; CISOs know how to fight that battle. The challenge is to maintain security and compliance across all your systems and data in such a radically decentralized IT environment. That’s where CISOs are still trying to find their way forward.
In that case, no wonder top spending priorities are tools for better regulatory compliance and tools for aggregation and reporting of security data. It’s exactly what the need is.
A Word on CISOs
I was intrigued to see those numbers in Figure 1, where only 29 percent of respondents said the CISO oversees IT risk. That seems alarmingly low to me, although MetricStream noted that perhaps some companies have an IT security professional who holds the title of CIO or CRO.
My real concern, however, isn’t the security proficiency of the person in charge of IT risk or the specific title he or she has. My question is whether that person is part of the executive management team.
After all, if IT risk is essentially synonymous with operational risk (and I’d argue that’s the case, especially in the post-pandemic work world), and 72 percent of survey respondents say they align their IT, operational, and risk management programs — then the CISO needs to be part of the management team that makes strategic decisions and sets business objectives.
That’s how you get security and IT risk management by design. Otherwise security and IT risk are always running to catch up with business risks, which is the predicament at far too many businesses today.
I can’t help but recall the mess at Facebook after the 2016 elections, where Russia exploited Facebook to pump disinformation to the U.S. public. Facebook’s CISO at the time, Alex Stamos, couldn’t raise sufficient alarms about Russia’s attacks because he reported to the company’s general counsel.
If one of the largest tech companies in the world didn’t have a properly empowered CISO then, how many organizations still have that bad habit now, when the pandemic has made the habit even more bad? I wonder.