CIOs need to change the narrative around IT risk, says Oliver Cronk, Chief Architect, EMEA at the cyber firm Tanium.
The weight of responsibility for Chief Information Officers (CIOs) to combat cyber threats has never been greater. Several recent developments have made the task of securing organisations more difficult, such as the shift to hybrid workplaces, a continued surge in supply chain threats and the growing sophistication of attacks such as ransomware. The paradox is that most companies don’t make IT risk management a priority until something goes wrong, but sadly it then may be too late.
CIOs must therefore adopt IT risk management as the main facet of their role, as their organisations contend with the challenges of looking after a growing network of endpoints – which now includes personal computers and smartphones being used by employees, in addition to corporate-owned devices. These devices move on and off corporate networks and store and move large volumes of sensitive data, resulting in an increased number of vulnerabilities and risks that CIOs need to be aware of.
At the same time, the impact of a single exploited endpoint is growing. In recent years, we have seen multiple high-profile organisations lose hundreds of millions of dollars from simple, preventable breaches. The result: IT risk has become a board-level concern, and every organisation is now looking for a tangible way to score and reduce the risk carried by their endpoints.
Risk management challenges
Although risk management is more important than ever, most CIOs lack the tools to perform effective risk management and remediation. Monitoring and protecting risk is not easy, but many organisations handicap themselves by using point solutions that collect stale, limited datasets and apply their own perspective on which risks to focus on.
This forces CIOs to stitch together scattered, siloed information on their risks, with many undertaking processes that are highly manual, such as collecting data through interviews and recording it on spreadsheets without the necessary context. With hybrid working on the rise, this ad hoc approach provides very little visibility into how an organisation’s risk is truly developing and simply won’t cut the mustard when it comes to preparing for audits, presenting to the leadership team, or reducing overall exposure.
Ensuring compliance
A key consideration and motivation for CIOs when attempting to improve their organisation’s risk posture is the act of remaining compliant to the GDPR, CCPA or other local data privacy regulations. This is an ongoing challenge for organisations, amid their sprawling corporate networks and growing list of partnerships with multiple third parties.
But not knowing how many endpoints an organisation has or what data resides on those endpoints, introduces tremendous risk. To avoid this and ensure regulatory compliance, organisations must be able to quickly identify and manage sensitive and proprietary data at scale.
The importance of taking a proactive approach
By implementing technology that provides a simple and actionable way to manage risk across the entire enterprise, CIOs can take a proactive approach to preventing cyber-attacks.
For example, effective risk management tools should be able to scan all endpoints for vulnerability and compliance risks in minutes, without creating significant network strain. They can then use this real-time data from servers and workstations to generate a numerical score (e.g., between zero and 1000) representing the overall risk of the enterprise based on data from every managed endpoint.
By using an intelligent risk score entrenched in meaningful operational and security metrics, CIOs can make informed decisions and take actions that truly improve their organisation’s compliance and risk posture.
How CIOs can change the narrative around risk
Often CIOs are involved in board meetings where they are asked: “Are we safe?” There is a huge level of subjectivity around this question, yet a strong CIO should be able to communicate effectively with the rest of the company about risk and how the business is protected.
In other words, they need to change the narrative to one which is more objective and tangible – providing evidence on where the organisation currently stands from an IT risk and compliance perspective.
This means using a risk score report to communicate key trends, improvements, and industry benchmarks as the main focal point of their executive and board-level reporting. By providing a simple evaluation of risk that is easy to understand, CIOs can bridge the gap between themselves and C-suite business leaders – making cybersecurity a key part of the board-level conversation.
CIOs must also use risk assessments to help strike the balance between a proactive and reactive approach to IT security. Many organisations focus too much on reactive point solutions such as antivirus, rather than proactive efforts that constantly scan their entire network and identify vulnerabilities before they become intrusions.
With risk assessment technologies in place, CIOs can show results – quantifying the exact level of risk within the organisation and demonstrating how successful they have been in tackling it. Once implemented, they can conduct regular assessments to see how risk is changing over time and ensure they are adopting a holistic, data driven approach to prevention and response. By doing so, CIOs will be embracing proactive ways of assessing IT risk that will drive their organisations to a better secured terrain in this era of growing threats.
