CIO/CCO: An Important Strategic Alliance
If you do not seek out allies and helpers, then you will be isolated and weak." Sun Tzu, The Art of War
"Risk assessment is another critical point on which the CIO and CCO make formidable allies. An effective compliance program should not only detect non-compliance, but should ultimately prevent it"
A strategic alliance can be defined as a relationship between two or more entities that agree to share resources to achieve a mutually beneficial objective. And when the objective is a particularly challenging one, strong alliances are even more important. On the issue of Cyber Risk, there must be many allies.
Cyber risk continues to be one of the most significant threats facing businesses today. A recent study by PricewaterhouseCoopers suggests that information security incidents are on the rise as are the investments companies are making to address them. According to the survey, 38percent more information security incidents were detected in 2015 when compared to 2014. Additionally, companies on average have increased their information security budgets by 24 percent. It is no wonder that cyber risk is consuming the time and attention of management and Boards of Directors. According to the survey, 45 percent of Boards are participating in overall security strategy. However, adequately addressing this emerging risk is not the job of the Chief Information Officer (CIO) alone. Successfully combating this threat will require the work of many strong allies, including the Chief Compliance Officer (CCO).
There are a number of obvious ways in which the CIO and CCO should be allies in this fight. First, the problem of cyber risk is both a technology problem and a human behavior problem. Estimates are that one-third to two-thirds of cyber breaches were the result of employee error, such as accessing compromised email links or accidently forwarding sensitive information, rather than external breaches. The behavioral aspects of this problem can be mitigated through establishing corporate standards via policies and communicating them regularly, training and testing employees on those standards, monitoring for compliance with these standards, and disciplining employees who violate them. Additionally, when breaches do occur, it is imperative that they are reported appropriately within an organization and remediated to build cyber resiliency. All of these are the elements of an effective compliance program. As allies, the CCO and the CIO can support an appropriate information security governance framework which is aligned with the company’s overall risk and compliance framework.
Next, the CIO and CCO can partner to ensure strategic technology initiatives to meet changing regulatory and business needs. For example, as companies implement cloud-based technology solutions the CCO and CIO should jointly evaluate these solutions to ensure they meet the business’s needs as it relates to data protection, privacy, and a host of other regulatory requirements.
Risk assessment is another critical point on which the CIO and CCO make formidable allies. An effective compliance program should not only detect non-compliance, but should ultimately prevent it. Similarly, an effective security program includes assessing the organization’s risk and deploying resources to mitigate them. This specific risk assessment should include a view of what data an organization maintains, in what form and where. It should also include a perspective on the technical vulnerabilities that exist in the current environment and the reasonable steps that can be taken to address them. Here the CCO and CIO can provide the organization a complete picture of the risk the company is facing then partner with the business to develop strategies and controls that are legally compliant, technically feasible, and pragmatic in order to protect the company.
Finally, CIOs and CCO’s can collaborate and work towards shaping their external environment. As regulators and legislatures debate what role they should play in helping to mitigate cyber risk, CIOs and CCOs can partner to tell a cohesive story of how public policy and regulation may impact businesses. Regulators can benefit from a realistic perspective of how a cyber security program is developed and implemented, how cyber risk differs based upon the amount and type of information a company maintains, and steps organizations take to mitigate this risk based upon their unique profiles.
For example, as regulators consider mandating security standards, CIO’s can raise awareness about the impact of those standards. Impacting public policy in this space is without question a longer term effort, but having CIO’s and CCO’s both weighing in on policy options increases the probability that the results will better reflect realistic solutions.
My own experience tells me that as strategic allies there is much that a CIO and CCO can accomplish together to ensure their organization mitigates cyber risk. But doing so isn’t always easy. To keep their alliance strong it is important that they maintain regular communication with each other to understand the priorities and pressures they face. They must also look out for each other and ensure that the other has a seat at the table when important business decisions are being made which impact information security. These types of consistent behaviors ultimately create an environment of trust and mutual respect between the CIO and CCO which is at the foundation of any important strategic alliance.