New-to-the-role CIOs face the daunting task of quickly coming up to speed on the business priorities of their organization and potential security threats, all while building relationships with other members of the C-suite.
With so many competing demands, how should new CIOs focus their time and budgets to establish themselves as indispensable strategic leaders?
A recent Gartner survey of CIOs and IT executives offers clear guidance, said Srinath Sampath, a vice president analyst at the research and advisory firm.
“More than any other part of their jobs, cybersecurity and risk management were deemed to be the most critical activities that they absolutely needed to get right, otherwise their jobs would be at stake,” Sampath said, speaking at this month’s Gartner IT Symposium/Xpo event in Orlando, Fla.
Sampath said that as their companies’ “de facto chief technology risk officers,” new CIOs must promptly implement a process for mitigating the top technology risks for the enterprise, while providing assurance to stakeholders.
Because few CIOs have an unlimited budget for risk management, they must first gain an understanding of their organization’s business goals in order to strategically balance risk management against financial constraints.
“[CIOs] have to deliver a certain level of desired value for a cost that the organization is willing to afford, and at an acceptable level of risk to the enterprise,” said Sampath, acknowledging the difficulty of the task.
“Obviously, you don’t have a lot of time to prove your jobs, as you get pulled into different directions by different stakeholders, and everyone wants you to deliver results yesterday,” he said.
He offered the following steps to take:
Start with a Risk Management Plan
In response to the pressure to quickly demonstrate their value to the organization, new CIOs should start by developing a solid risk management plan, Sampath said. One of the first steps is to analyze the reliability and credibility of organizational data, he said.
CIOs should source data from different divisions in their organization and identify the biggest threats and vulnerabilities, in addition to emerging security issues. This data can include past incident reports and audit findings, but CIOs should also examine industry forums and reports to “understand and eliminate blind spots from your view,” Sampath explained.
New CIOs will need to establish a cadence for conducting and reporting on risk assessments, such as monthly or quarterly, “so that you are re-evaluating and validating your understanding, and your organization’s understanding, of what the biggest risk exposures are, and that you’re looking at it from various lenses like impact and likelihood,” he said. “Some risks might come really fast and others might be slow-moving.”
Srinath Sampath, an analyst at Gartner, speaks at the company’s recent IT Symposium/Xpo in Orlando. Sampath said a Gartner survey found that CIOs and IT leaders consider cybersecurity and risk management activities they must get right. (Source: Kelsey Ziser/InformationWeek)
Establish Relationships within the C-suite
Relationship building will also be key to the risk management development process, Sampath said.
“One of the first things you want to do is to gather and gain quick situational awareness about what are the expectations that your stakeholders have from you,” Sampath said. “When do they expect to see certain types of outcomes and changes?”
To identify stakeholder expectations, Sampath suggests setting up a “listening tour” with other C-suite executives. During this exercise, it’s important for the CIO to build a “good working relationship” with the CISO and determine how to “collaborate and coordinate risk management activities” so there’s a plan in place should a cybersecurity threat arise.
The listening tour process should also reveal the board and executive team’s “risk appetite,” Sampath added. CIOs will need to understand how to balance executives’ tolerance for the duration of an operational or technological disruption with the financial cost of mitigation.
Balancing response time to a threat with budgetary constraints means landing “at a spot where the organization feels comfortable with the levels of risk that they’re accepting, and it’s something that you can deliver as an organization.”
Risk Management Is a Team Effort
CIOs should also create a committee or governing body as part of their risk management strategy, including representation across business divisions that isn’t limited to participants representing IT and security roles, Sampath said.
“Make sure there is some business representation in there, because this is not purely about technology,” he said. “This is about technology-driven business impacts and business risks to the overall enterprise.”
With a solid risk management plan in place, support throughout the organization and from the C-suite, new-to-the-role CIOs can set themselves up for success in the near term. Making the link between technology risks and financial and operational failures (or outcomes) is key.
“Try to create a connection between the underlying technology risk exposures and the ultimate business consequences that your C-suite and stakeholders ultimately care about,” Sampath advised.
