What choices do we make for risk mitigation? There are SO many options, especially when it comes to IT – never-ending choices of cybersecurity solutions, data management software, standards bodies, recommended best practices, and processes to follow. Understanding hierarchies of risk translates directly into what risk tolerance CISOs and CIOs can implement across the organization. Some companies have such distributed or isolated assets that, given a certain set of circumstances, they may be aligned with not being in full compliance to best practices on a public-facing asset – or some systems may have non-critical data so that backups are fine, and a potential ransomware attack would not be detrimental. We might want to say we have zero risk tolerance, but this can cripple an IT organization with overspending and time consumption. Let’s take one of the most discussed areas of risks: cybersecurity. Risk appetite should be well-defined for various business areas, and then shared/understood throughout the stakeholders of the risk area. Understanding risk areas and defining risk appetite is the best start to risk management, as it helps define risk tolerance in terms of managing priorities, costs, and time spent. We may have little appetite for cyber issues, such as ransomware attacks, compliance issues, or data mismanagement, while having more appetite for business innovation and transformational items, for example. ![]() Few drivers keep to these limits, so the point at which police officers start handing out tickets (usually 5-10 MPH above the limit) is risk tolerance. Think of the posted highway speed limit as the risk appetite of the state government for drivers in a given area. I like using the “driving analogy” to help illustrate what I mean. Why is this so important? While risk appetite is the degree to which an organization deems risk acceptable, risk tolerance is the acceptable deviation from the stated risk appetite. Initially the provenance of the financial sector, establishing risk appetite and tolerance, which is essential to pursuing the goals of an organization, is now a best practice in other industries and a critical need for cybersecurity leaders. When integrated with rigor, risk management can be a great asset in trade-off mitigation. Every organization must cultivate a risk-aware culture so that it is the responsibility of all employees regardless of function – it is no longer just the responsibility of the CIO and CISO. As risks faced by modern organizations increase while also growing more complex, incorporating risk management into strategic and corporate planning is now more important than ever. ![]() ![]() They have shone a spotlight on the devastating consequences of inadequate risk management. Risk management should be a front-and-center topic for the C-suite and their boards of directors. Given my background in cyber, as well as my board-of-director perspective, I invite all of us to consider instilling a risk-based mindset throughout the entire organization as we consider prioritization. This will be particularly relevant as AI adoption accelerates across all industries and business functions. But I would ask us to consider a long-term view as we embrace the digital-first world, ensuring we move fast with appropriate risk considerations, therefore increasing the probability of success. Back in 2016, Marc Benioff famously said, “Speed is the new currency of business.” True. ![]() Against this backdrop, IT leaders still have to grapple with prioritizing speed, quality, and risk. Game-changing technologies, geopolitical issues, financial volatility, supply chain challenges, and the specter of climate change have created some treacherous terrain in which to innovate.
0 Comments
Leave a Reply. |