How much time every day do you spend thinking about risk? No matter what your answer was, I’m willing to bet that considering the importance of information technology you are not spending enough time on this important subject. Every person who has the CIO job knows that there are risks all around us each and every day. In fact, the number of risks that your company is facing is probably growing every day. The big question is what should you be doing about this?
5 Things That A CIO Needs To Know About Risk Management
When starting to think about how you want to deal with all of the risks that your company is facing, things can become overwhelming very quickly. What you need to do is to take the time to prioritize how you are going to be spending your time. Here are 5 things that you are going to have to know about how to most effectively tackle your risk issues:
- Start With What You Know: Of course every CIO should start out by making sure that the key risk areas that the IT department is facing are covered. Key areas to be covered include making sure that your company won’t experience any data breaches. Once you’ve got this all taken care of, it’s time to look beyond the IT department. Take the time to understand how the company is using all of that data that the IT department has gathered for it and see if those other departments are exposing themselves to risk as they use what you’ve given them.
- Don’t Get Caught Up In Compliance: It can be all too easy for a CIO to become focused on a given compliance project (HIPPA, Sarbanes-Oxley, etc.) and be left with the false sense that they’ve got their risk under control. These programs can help you manage your risk, but they don’t do it all. What you want to do is to stay ahead of the risks that your company is going to be facing and if you are just spending your time trying to be compliant, then you’re going to end up falling behind.
- Look On The Bright Side: With all of the other projects that a CIO has on his or her plate, risk management may not be the one that you really want to spend much of your time working on. However, you need to realize that this type of program will provide you with an opportunity to learn more about the company’s overall business processes and how it uses its IT data. Having a good understanding of this should only help to further your career.
- It’s All Been Done Before: The good news about setting up a risk management program for your company is that you are not the first CIO to do this. It turns out that there are a number of different “cheat sheets” that you can use to get your program off of the ground. These include ISO 31000, and ISACA’s Risk-IT. However, as with all such templates, you need to keep in mind that these were not created with an understanding of your particular business’ needs. You’re going to have to take the time to find out how to modify them to fit the way that your company operates.
- Know Who You Are Up Against: Every risk program has to be started by having you sit down and spend some time thinking about just exactly who you are trying to protect the company from. Yes, there are the usual list of external suspects. The hackers and others who are trying to get their hands on your company’s most valuable secrets via social engineering or other methods. However, you also have to keep in mind that your greatest threats may be coming from your employees. These are the ones who are already on the inside and who may be able to do the most harm in the least amount of time.
What All Of This Means For You
When you are in the CIO position, you may have a more important job to do besides risk management for your company, but I wouldn’t know what it would be. One of the biggest challenges that CIOs face when trying to create a risk management program is that it can be confusing trying to determine just exactly where they should start.
In order to get your risk management efforts off to a good start, there are 5 things that you need to do. You need to start the program by securing the IT department and then follow the data into other departments and make sure that they are secure also. Realize that compliance programs are good, but they are not enough. View creating a compliance program as a true career opportunity for you. Everything has been done before and that means that you can use “cheat sheets” to get your program started. Finally, make sure that you understand who you are up against so that you can create the right type of program.
Although most CIOs would rather spend their time working on programs that have to do with mobility or cloud computing, it’s the risk management program that they create that may be of the most value to their company. Take the time to understand what you want to do and how you’re going to do it and you’ll be able to create a program that will keep your company’s intellectual property safe and secure.
– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™
Question For You: Do you think that a CIO should enlist managers from other parts of the business to help with the risk management program or go it alone?
Click here to get automatic updates when The Accidental Successful CIO Blog is updated.
P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!
What We’ll Be Talking About Next Time
Life is full of changes and that is one of the things that makes having the CIO job both so exciting and so challenging. As we spend our time looking inside of our company for ways to make it both more competitive and more efficient, the outside world continues to change at a rapid pace. Sometimes a digital disruption occurs when a new company shows up with a novel idea or approach that can threaten our company. What is a CIO to do when this occurs?