Why IT needs to drive the risk conversation

It's a familiar complaint: Executives from a business department learn about a new, often cloud-based product and they want to try it. Only they can't, because IT has decreed that this wonderful new product creates too much risk. The frustrated business execs gripe that IT is standing in the way of progress. As one business executive said, IT is "where dreams go to die."

Share

It's a familiar complaint: Executives from a business department learn about a new, often cloud-based product and they want to try it. Only they can't, because IT has decreed that this wonderful new product creates too much risk. The frustrated business execs gripe that IT is standing in the way of progress. As one business executive said, IT is "where dreams go to die."

The problem might not lie in some stubborn dislike by technology professionals for innovative new products. The problem, CIOs and other experts agree, is that most organizations don't have a realistic, balanced or mature system for evaluating and making decisions about technology risk. Especially the risk that always comes with implementing something new.

"Somebody, typically in a line of business, has some SaaS product they want to use, and they provide a business case for it: 'Here's all the good stuff that can result from the use of this. It'll make my numbers. I can access it from anywhere,'" says Jay Heiser, an analyst at Gartner.

At that point, IT is asked to determine whether the software in question is safe to use. "Then starts a farcical attempt to prevent something bad from happening," says Heiser. Ensuring complete indemnification for any losses suffered in the event of a breach likely means inserting provisions into the vendor's standard contract. "These are cookie-cutter products; the company has 30,000 customers. They're not going to negotiate contracts," he says.

Next come questions about the cloud provider's security practices, but here again, Heiser says, it's difficult or impossible to construct a questionnaire that will fully determine that the provider will keep data secure. A site visit might be helpful, but the sheer volume of customers will make it impossible for the provider to welcome most of them. And even when you are standing at a provider's facility looking straight at its servers, that doesn't give you access to the person who wrote the code.

In short, there is no way to guarantee security, especially that of a cloud-based product, Heiser says. And therefore, IT professionals tend to take the simplest path and decline to give their approval, which in turn earns them a reputation as dream-killers. It's a setup that guarantees frustration on all sides, and one that's more than ripe for adjustment.

But changing it requires seriously rethinking how businesses work with IT to make technological decisions. That won't be easy, but here are some places to start.

1. Let CIOs Off the Hot Seat

Talk to any CIO long enough on the subject of technology risk, and one company name is likely to come up: Target. The retailer suffered a widely publicized data breach compromising a total of 110 million credit cards in December and January -- a number that's equivalent to more than one-third of the U.S. population, assuming all the cards belonged to different people. As the dust settled and lawsuits were filed, no one was surprised when Target CIO Beth Jacobs tendered her resignation.

Jacobs had been on the job about six years, putting her right at the average CIO tenure according to CIO magazine's 2014 State of the CIO survey. That's a fact worth noting because behind it lies a darker truth: Most CIOs assume they're always one big tech failure away from losing their jobs. "I don't know if she did a good job or not, but she got fired," Heiser says. "In practice, if something breaks, they'll go looking for a scapegoat." Because CIOs face that reality, he adds, it's easy to see why most of them are motivated to make "extremely conservative decisions."

"We have encrypted our systems and we audit stuff regularly," one CIO confides. "We've done our absolute best to make sure there is never a breach. Still, just like the Target CIO, if I stay here long enough, there will be a situation that I get blamed for."

2. Stop Asking the Wrong Questions

"I get a lot of questions from Gartner clients who want a definitive read as to whether some cloud system is 'secure' or not," Heiser says. "It's the wrong answer and the wrong question."

To begin with, there's no such thing as a perfectly secure system. "Inevitably, something will go wrong because you're a goalie and sometimes people will score," says Matt Powell, CIO at Kirshenbaum Bond Senecal + Partners, an advertising agency headquartered in New York. "What we do instead is talk about relative risk." Powell says he has read that the National Security Agency's standing posture is that all its systems have been compromised 100% of the time. If a government agency with legendary technical proficiency makes that assumption, he suggests, everyone else should too. Once you adopt that mindset, he says, "it's a matter of how much is at risk, and for how long."

Unfortunately, Heiser says, "there's no way to conceptualize risk." Even though many organizations, including Gartner, have tried to put a finger on risk profiles and scenarios, "there's no good way to quantify that," he says. "If you could tell the business there's a 5% chance in any year that your competitor could gain access to your data through this service and that was backed up by statistics, you could base a decision around that, but it's still going to be an emotional decision."

Next section: Weighing risk v. reward

Find your next job with computerworld UK jobs