The Evolution of Risk and the CIO

True or false? The CIO office is all about rolling out computers and making sure they work.

Answer? In their dreams.

In fact, today’s CIO helps lead the organization’s risk analysis efforts, arguably one of the most challenging but critical components of an information security program.

Contrary to popular belief, risk analysis has been around for a very long time. Insurance companies, online investment firms, and many other businesses have made risk analysis both a science and an art.

Wall Street, for example, can quantify to the dollar how much money they’d lose if their systems went down for an hour.

And insurance companies have brought the concept of risk assessment to virtually anyone who owns a car or a home. Actuaries first pinpoint the value of the asset, let’s say a car, then identify threats to that asset, such as accidents.

They then take a look at how vulnerable the car is to that threat. How is the owner’s driving record? How many miles is the car driven in a typical year? Which geographic area will the car be driven in?

Actuaries then put all this information together — asset value, threats, and vulnerability to threats — to determine an appropriate premium for insuring that vehicle.

It’s the same with IT. Except that information assets are worth a lot more than a car or a home, and CIOs must compete with other business units for limited pools of money to invest in protecting their corporation’s most important asset.

No wonder the role of CIO is evolving. Risk officer may be a more accurate title.

Putting a Price on IT

This evolution likely comes as no surprise to IT professionals. Over the years, technology has played an increasingly vital role in enabling organizations to become more efficient, offer more and better services, enhance customer satisfaction, and boost profitability.

What’s more, as information has become the currency of the digital age, information technology has become a business enabler and powerful competitive advantage.

To understand its value, just imagine the consequences of poor IT management. Picture a financial institution known for its online banking services successfully drawing a greater and greater customer base only to have its brand and reputation tarnished by continuous phishing attacks. Or the Web site of a world-renowned family entertainment mega-corporation defaced and replaced with questionable content.

The soft costs associated with such incidents are nearly impossible to quantify. Yet, there’s no company in the world that would willingly risk being so victimized.

Enter the new CIO. His or her job is to work with corporate executives, senior management, and other key personnel to put in place controls that mitigate risks to corporate assets—from intellectual property to company secrets, customer data, corporate brand, and more.

Of course, small or mid-sized businesses may opt to outsource their risk analysis, while larger enterprises that do a fair amount of business electronically may choose to utilize in-house resources and develop expertise that can be utilized for subsequent risk management initiatives.

Adapting, Growing

But risk analysis is not a one-time exercise. Information assets change over time. New physical devices are added, older ones replaced, and existing systems reconfigured to meet the changing needs of the organization.

Neither are vulnerabilities static. Threats that are relevant today may merit little attention tomorrow. Older software vulnerabilities may be patched, while new ones are discovered.

The value of assets may change as well. For example, the proliferation of personal digital assistants (PDAs) will continue to grow and will become a staple of the workplace rather than a luxury for the corporate few. As that process accelerates, the total value of those PDAs for the company as a whole will also grow.

Because of the dynamic nature of the IT environment, risk analyses must be performed periodically — perhaps every six months — and adjustments made to keep pace with new areas of exposure and developing business priorities and objectives.

The iterative nature of risk analysis, its critical role in enabling future growth and profitability, and the ever-greater importance of information in the digital age make clear the vital role the CIO will continue to play in ensuring the long-term viability of an organization.

Clearly, the evolution is now.

Mark Egan is Symantec’s CIO and vice president of IT. He is responsible for the management of Symantec internal business systems, computing infrastructure, and information security program. Egan is author of “Executive Guide to Information Security: Threats, Challenges, and Solutions” from Addison Wesley and was a contributing author to “CIO Wisdom.”