The CIO Catch 22- you must innovate,but do so without increasing risk (By Mr. Eli Frank, Former CIO)

CIOs are required to lead the innovation in their organizations, and some even call them to lead “digital business transformation” and to transform even traditional enterprises into the digital era. But innovation comes with inherent risks, and CIOs are required to mitigate these risks and minimize them as much as possible. So innovation leads to risks, and in order to minimize these a more traditional mindset is required, one which is detrimental to innovation…a textbook catch 22.

CIOs recognize this dilemma- according to research firm Gartner, 89% of CIOs acknowledge that digital innovation is creating new types and levels of risk

(http://www.gartner.com/newsroom/id/2903717)

Some of these risk have always been present when adopting new technologies- project risks, cultural adoption and financial risk. But the digital era, and especially the connected era (which are just starting to experience really), have brought with it new types of risks, which can all be grouped under the generic phrase- Cyber risks.

Cyber risk can encompass anything from money theft, IP theft, business disruption, reputation damage and most-seriously, Infrastructures destruction (Energy, Water, Transportation, etc.).
The traditional method to mitigate these new risks was to buy new technology to cater for the new risk: DDoS mitigation, Encryption, Firewall etc. but guess what- adoption of new technology has inherent risks- bringing us back full cycle to the catch 22 again. So what is required is to think out of the box (or circle, in this case).

A technology which will minimize risks must be implemented in a way which does not increase risk. So this new piece of tech must better come “on top” of other existing technologies, and focus not on replacing them, but on extracting the most information from them. This information can be aggregated, analyzed and provide CIOs with “hard data” to make informed decisions.

Two types of information should be fed into the system- internal and external. Internal- accurate measurement of current cybersecurity technologies’ (deployed within the organization) effectiveness and readiness, and external- relevant intelligence regarding threat landscape. The system should then allow correlating between threats and mitigation technologies, and will highlight deficiencies and areas where improvement is necessary, and simulate the effect of more (or different) technologies will have on the overall risk score. Utilizing such system can assist CIOs in reaching a conclusion regarding urgent business questions, which can range from how existing systems are being operated to adopting new procedures and protocols.

Such systems can also assist in assessing the impact of implementing and adopting new technologies for the organization.  One example of such use would be in assessing the security impact of migrating systems and data to the cloud, a decision many CISOs grapple with today. Would moving to the cloud provide benefits? Sure, everyone knows that (and some of these are tangible, like reducing the need for costly IT equipment). But the risk emanating from such move? This is not always clear.  So CIOs must have tools to simulate the business and security impact of such transition, and make an informed decision, along with recommendations to the CEO and board of directors.

For example- the decision could be in favor of moving to the cloud, but keeping the most sensitive information secured on premise (aka hybrid cloud).

Or the decision could be made to move to the cloud in phases, since not all the organization is using the same infrastructure today. And so on.

So, by using such analytical technology, CIOs can soar above the infamous “catch”, Identify challenges, estimate risks and move ahead while minimizing the risk but without limiting innovation.

Mr. Eli Frank is a former Vice President in Amdocs, responsible for CRM and Billing systems for Tier-1 Telecoms in Europe, and the CIO and member of the top executive management of Bezeq, the leading Telecommunication group in Israel. In his current occupation, he provides strategic IT and Management consultation to large enterprises and senior managements. Mr. Frank serves on Cytegic Advisory Board.  

Leave a Reply

Your email address will not be published. Required fields are marked *