Insights from the Gartner Security & Risk Summit

As a CIO today, you are limited in the number of events you can attend. Given this, I will bring the event to you by this summarizing the key insights of the Gartner Security & Risk Summit. The summit was clearly meant for professionals focused on security and risk. However, many topics had clear relevance to CIOs. CIOs like Steven diFilipo, the CIO for the University of Texas’ Institute for Transformational Learning, said to me during the summit, “CIOs should be involved in risk mitigation across the entire business landscape.” Given this, I will share a few gems from this summit having particular relevance to the Chief Information Officer. To be succinct, here are the names of Gartner analysts you may want to follow or engage with to learn more: Sid Deshpande, Neil McDonald, Leigh McMullen, Paul Proctor, and Jeffrey Wheatman.

1. We are moving toward a new type of CIO, an “A type CIO.” The big difference with A type CIOs is that they are focused on business growth rather than on cost reduction. For some this represents a big change. However, in talking with members of #CIOChat on Twitter, Pascal Viginier, the CIO of Orange, said that “business value is much better than a cost-centric approach for building a business case.”
2. Digital businesses need to make conscious choices that balance risk, trust, and innovation. The challenge is to balance these with the pace of digital disruption.
3. There is no such thing as perfect risk protection. The goal should be to create a sustainable set of controls that balance the need to protect against the need to run business faster. Doing this means establishing a dialog with the business leadership about risk.
4. Organizations should take a strategic risk management approach to technology risk. CIOs and CISOs need to move the conversation from low and high risks to good and bad risks. At the same time, they should move their organizations away from taking just an internal view of risk. Risk today exists across an internal/external ecosystem.
5. CIOs and CISOs should treat security as a business service, offering different levels of service depending upon the different needs and risk appetites of business units.
6. CIOs need to codify risk in terms of how risk impacts the business. One potential way to do this involves communicating risk in terms of a corporate value chain. This of course refers to the work of Michael Porter. As a strategy major, I find Porter’s value chain approach extremely valuable, but the book itself remains a difficult read.
7. Those not moving to the cloud say that they aren’t doing it because of cloud security concerns but those who are moving to the cloud say they are doing it for cloud security. This research result is amazing, but I can confirm from the #CIOChat that security is the number one concern for CIOs looking to transition from managing datacenters to public cloud.
8. You shouldn’t consider cloud security separate from everything else you do. It needs to be a part of your entire security plan. Public cloud users today must accept that if their public cloud vendor is hacked then their keys have likely been exposed.
9. CISOs need to work on their communication skills. One CISO at the conference said the next time you think of writing an email filled with technical terms, you should go and have a face to face meeting and speak in the language of the business—risk—instead of technical terms. In talking about CISOs during the #CIOChat, Melissa Woo, the CIO at Stony Brook University, said “good CISOs should have the same traits as a good CIO, which includes being strategic as well as a good communicator.”

Parting thoughts

It seems increasingly clear that CIOs need to make sure that their conversations about security become embedded in the business risk conversation. As such, CIOs need to ensure that the business is making conscious decisions about risk tradeoffs, and that they know there is no zero-risk posture. At the same time, CIOs need to make sure their CISO has business acumen or they will find themselves increasingly frustrated. And finally, digital businesses need to be framed for both the opportunity and risks they create or business counterparts will make the wrong business choices.