As businesses increasingly digitize, they face ever-looming questions about how they approach security. In a handful of panels at the MIT Sloan CIO Symposium this month (the ones that weren't exclusively dedicated to security and privacy, at least), a prominent theme among CIOs was that businesses are moving away from a siloed compliance and policy focus for security programs. Instead, they're working toward anticipating behavioral changes and social factors -- in other words, they're practicing proactive risk management from the top down.
We should change the CIO conversation from, 'We are protecting the company' to 'We've probably already been breached.'
In the session "Leading the Digital Enterprise," a group of CIO panelists were asked how they should work with the rest of the executive board to establish priorities. Chief among them was risk management, which ranked alongside such IT stalwarts as big projects, spending and the digitization of business models.
"Data is the new currency," said panelist Andi Karaboutis, Dell's CIO and an MIT Sloan CIO Leadership Award finalist. In this new reality, enterprises must approach their information management proactively, not reactively. "We can't be fear-based -- we have to be bold and have a comprehensive strategy regarding security in a digital world," she said.
Put another way, CIOs must face the pervasive fear of being "Target-ed," moderator and Forrester analyst Peter Burris cracked, drawing some laughs from the audience. Referring to the retail giant's headline-making data breach last year, Burris said, "The verb 'Target-ed' has now entered the CIO lexicon."
Fellow panelist Rebecca Rhoads, CIO at Raytheon Co., agreed that a comprehensive security strategy is vital. When information flows to clients globally, companies must concurrently make those same clients confident in their information's security, she explained. To balance both, "You must fully understand your tech systems and information flow, and design security around them to manage risk," she urged.
This is where the CIO's role as "facilitator of the risk management discussion" is crucial. "Deciding where to move fast and where to move slow will be a key CIO skill in the future," Rhoads said.
Panelist Roger Gurnani, CIO and executive vice president of Verizon, concurred that customer data requires reimagining the business' security model, particularly when it comes to digital customer engagement. "Eighty percent of our customer interactions are digital," he said. "They're always connected."
Dell's Karaboutis agreed with that definition: "A digital enterprise is technology and data that creates intimate connections, with the customer at the center," she said.
'Security is everyone's job'
This focus on a digitally savvy and connected customer base increases collaboration and consumer communication, panelists said, but it also poses challenges. One of them is figuring out the role humans play in protecting data assets.
"We live in a digitally charged, super-connected era," Gurnani said. "Now, machines are being connected. Humans have the oversight."
He pointed to Verizon's annual Data Breach Investigations Report, an analysis that frequently cites human shortcomings and processes as leading causes of data breaches. Whether humans or systems are ultimately responsible is a moot argument, Gurnani contends. "Our job is to make sure that security is everyone's job. Systems can mitigate risks, but can't eliminate risks."
The message was clear: Humans must take responsibility for data security, and CIOs and their top-level peers -- including compliance and security officers -- must make information risk management a permanent point of discussion. Panelists noted that enterprises must shift their cultures to realize that breaches are a given. "In the digital world, we should change the CIO conversation from, 'We are protecting the company' to 'We've probably already been breached,'" Burris observed.
CIOs and their security-minded officers must take proactive steps to make better risk management decisions in today's digital enterprise. It starts with education, urged Brian Lillie, CIO at Equinix and the final member of the panel. It's key, he said, to run through "security scenarios" with IT staff that simulate a real data breach. Lille also encouraged incident response plan development and communicating their value to the business.
More from the MIT CIO Symposium
Five tips to lead the digital enterprise
Increased threats force CISOs to rethink data protection efforts
Symposium attendees share transformative digital initiatives
Raytheon's Rhoads agreed. "There are no solutions on the market yet that prevent all data breaches, so companies must be prepared on how to respond," she said, pointing to the lack of security continuity plans in many organizations. She went one step further and stated that business models must be undergirded by "layered defense," a breach management plan that takes into account the protection of the company itself, its products and its customers.
Again, planning starts at the top. "CSOs and CIOs must become comfortable discussing information risk management at the top levels; then, we can make better decisions," Rhoads said.
When all is said and done, when it comes to risk management, "You don't know what you don't know," Lillie conceded. Which is why, all of the panelists agreed, the security conversation should be not about the impractical goal of protecting all data assets, but rather focused on managing existing breaches and proactively protecting against future attacks.