CIOs are faced with pressures to implement, change, and maintain secure and operational environments — 3 opposing forces. It's no wonder so many CIOs report difficulty meeting expectations, and that CIO tenure hovers around 3 to 4 years. Reporting to the board room can be a harrowing experience for many but talking about information risk management may be near the top of the list as a 'white knuckle' experience.
Stephen Gant, general manager of Modulo thinks that CIOs are in the right spot to lead their enterprises in protecting their information.
"Today’s CIO is optimally positioned to lead the path toward standardized and harmonized information risk management within their organization. After capital, information is the single most important commodity upon which an organization relies. An organization’s information technology infrastructure underlies absolutely every aspect of daily business and, by extension, impacts reputation management, intellectual property, disaster recovery planning, marketing, legal, human resources, and even finance. Soon, the CIO will necessarily rival the CFO in his/her ability to provide key metrics to the board and shareholders about business performance.
To do this, the CIO will need to incorporate both top-down view of risk typically generated by a Chief Risk Officer (CRO) and CISO’s bottom-up approach to risk management. The CRO often helps define company Key Risk Indicators (KRIs) through enterprise risk management techniques. The CISO provides critical visibility into residual and real business risk based on the ability to link assets to lines of business and processes. Combining these approaches gives the CIO a natural foundation to lead the maturity path toward enterprise-wide governance, risk, and compliance (GRC) and performance as well as the harmonization of risks: cyber/IT, third-party supplier, business continuity, operational, and enterprise.
In a recent strategic boardroom discussion with over twenty CIO/CSOs from a variety of industries and moderated by Modulo, we found that many have already started down this maturity path. Key themes that emerged included:
- CIO/CSOs are increasingly interacting with the boardroom, and the structure of the board depends on the maturity of the company and the industry
- Collaboration below the board is the key to success
- Cybersecurity working groups are being formed to present a unified front
- Need for common CIO/CSO boardroom best practices
- GRC in the boardroom should be a business enabler"