By Alex Bender, Director, eGRC Programs and Strategy, EMC
As many of you know the Gartner Security and Risk Summit was held this week in Washington D.C. at the Gaylord National. The event was excellent with many great sessions/discussions on business continuity, privacy in the enterprise, advanced persistent threats and security in the cloud. One of the best session was held on Wednesday titled: Enterprise and Operational Risk Management: What the Board Wants which was moderated by Dale Kutnick and French Caldwell. In this session there were 4 board members representing different perspectives due to their past experiences as well as the industries they serve. The concept was to provide the members in the audience, comprised mostly of IT professionals, a chance to hear what the board perceives as the value of IT to an organization and the information that IT needs to provide a board to make strategic decisions. Here are a few highlights as to why I thought the session was so great:
During the session a poll was given to the audience that provided real-time feedback capability via text. There were over 110 people in the audience that responded to the question: What IT risks should be communicated to the board?
The category and results of the poll were very revealing:
- Data Protection – 30%
- IT Risk to the Business Strategy – 23%
- Continuity of Operations – 21%
- Regulatory Risks – 16%
- IT Investment – 5%
- Mobility Risks – 4%
I interpret these results in a variety of ways. The most obvious is that the fact that data protection topped the list is due to the numerous privacy issues that have dominated the world over the last several years and that IT thinks too much about ……. well IT. Shocker right? The conversation that ensued was that the board didn’t think that data protection was the top issue. They wanted to know about IT risk to the business. In fact one of the board members stated “is our data backed up and protected? Great…that is your job and that is all I need to know.” They also mentioned how IT wants to talk speeds and feeds about how they protect data and the board could essentially care less. All the board wanted to hear was how IT protected data to keep the name out of the headlines which brings me to the following two additional observations which are…
- IT Wants to Talk about the Complexities of Their Job vs. Providing Business Context: One of the board members stated they don’t care about the complex nature of how data are stored, the technology behind securing the data and what the day-to-day tasks are in IT. There is a huge language barrier at play and it has existed over the last 11 years that I have been in security, risk and compliance industry which is we always want to make things so complex/complicated. IT leaders need to put their responsibilities and organizational efforts in simple terms that mean something to the business decision process. The organizations that address the language barriers between IT and the business are starting to be the most successful in their approach to solving real problems for the business.
- Top Down vs. Bottoms Up Approach: Organizations as a whole that take a top down approach to driving awareness in the organization on security, risk and compliance issues are the ones that struggle the most. A bottom up approach is needed. If everyone in the organization embraces and understands the risks then the company as a whole will be able to manage, mitigate and preempt risks more efficiently. In many cases avoid major risks all together. This is where an extremely powerful training and awareness program can make or break a security, risk and compliance program. Also when you couple the training program with a simple yet effective communication program you can gain critical mass with your most valuable assets….your people.
I recommend to everyone in IT to seek out all the material you can on what a board wants to hear about and how to understand the value that IT brings in business terms. Also, know how your organization can work with the leaders in business to deliver against the broad set of corporate objectives and not think so much about the complexities of IT. Because if you align IT to the broader set of strategic objectives that are important to the enterprise and communicate the value and risks effectively you are actually delivering what your boss and the board really wants. I also recommend the board of advisors for all companies start learning more about the value IT can bring vs. thinking “it is too technical”. You are supposed to be a smart set of individuals and want to ensure shareholder value is increasing. By learning more about technology and what IT is doing to support the business you will fund it appropriately and appreciate that part of the business a lot more that you do today.