It is was 6:15 AM, and I was about half done with my daily workout on the treadmill in my basement. I was watching "First Business" out of Chicago. The topic was Aon's 2009 Global Risk Management Survey, and the interview really surprised me.
Laura Taylor of Aon described the top ten list and how things changed from 2007. She even made a few predictions about 2011. According to the survey respondents, the Top 10 most pressing risks are:
- Economic slowdown
- Regulatory/legislative changes
- Business interruption
- Increasing competition
- Commodity price risk
- Damage to reputation
- Cash flow/liquidity risk
- Distribution or supply chain failure
- Third-party liability
- Failure to attract or retain top talent
I stopped the treadmill. (I never do that.) OK, where's cyber? How about data breach, information security, identity theft, hackers, viruses, worms, protecting critical infrastructure or anything remotely related to securing computers or technology? No mention of Payment Card Industry (PCI) compliance, protecting health records or other personal information, extortion attempts against companies and governments or foreign governments spying on companies.
What's up with that? Do these results surprise you as much as they did me?
I know, I know, a contrary argument can be made that information security risk and/or other IT risks are built into most one of these items. It is true that business reputation includes online activities, but aren't we stretching things if we go down that road? The "virus example" given for business interruption was the "Swine Flu" virus.
There are many implications of this survey for CSOs, CISOs and other IT professionals. The survey helps security staff understand and use business language to describe risk. But there's another interesting ramification to these results which may impact your career. The Internet is full of stories about security governance and the proper role of the CSO. Many articles suggest that CSOs or CISOs will ultimately become (or merge with) the new "hot job" called Chief Risk Officer (CRO) - reporting to company CEOs. Similar stories go back to my early days as a CISO in 2003.
One of the first articles I read at CSOonline.com was from the very talented Vice President and CISO from Motorola, Bill Boni. I've learned much from Bill over the years, and I respect and admire his approach to security and risk. Bill's view on this topic? "As the role develops, the CSO will become more of a chief risk officer, an executive in charge not only of the technological risks a company may face but also the business risks married to security concerns."
Bill's described path for CSOs to become CROs became my career perspective during the years I served as Michigan's CISO (from May 2002 until January 2009). The Chief Risk Officer role seemed like a logical next step for my career. But as the CRO role continues to grow in importance, the path to a CRO may be different than many CSOs think. Most skills listed have little to do with technology.
A few disclaimers: I think the CSO and CISO roles are more alive and healthy today than ever before. I don't think they are going away anytime soon. My move to Chief Technology Officer (CTO) had nothing to do with any fears for the security profession. In fact, I get more internal and external contacts than every before - people who ask about how they can become CISOs. Perhaps the industry is heading towards a Chief IT Risk Officer as Gartner described late last year. That role would report to a company or government-wide CRO. But I still like CISO's reporting to CIOs, if the CIO reports to the Governor (or CEO) and runs IT.
Hopefully the main point of this blog is clear: broadening your perspective on risk can help. Keep trying to see the business point of view. Don't back down on technology issues, but be open to new angles and listen to their problems.
Or getting more personal, if you think you'll be the next Chief Risk Officer, are you sure?
Great report!!!
wwb
My thanks to Allyson Marcus from Aon Corp and the others that have responded so far.
A few comments: I understand that this survey does not represent the opinions of Aon, but rather the views of CROs, CFOs and risk managers. I appreciate you pointing this out again Allyson. I look forward to seeing the results of your Global Risk Technology Survey coming out this fall.
I received several personal emails on this topic that basically point to the economic downturn as bad for security programs around the world. I generally agree that the recent downturn has made many companies focus more on short-term fixes than long-term approaches and security answers. This may be impacting the survey results regarding IT as a risk.
Lastly (for now), Bill Boni sent a kind note. He also pointed out that he is now Motorola's Chief Security Officer (CSO) and not CISO. Sorry about that mistake Bill.
Keep the comments coming ...
Although everyone know the problems in cybersecurity, directors and company leaders are only caring on availability, because the purpose of setting up a company is on winning money. As the recent attacks are focusing on botnet and phishing, little about DoS the system, leaders would not care so much.
In addition, there are so many standards and best practice, security office need to optimize and choose for their own system. Virtualization can help to integrate those bit and pieces. Perhaps, BSIMM can help to guide the development of the whole system through the Life Cycle of a company.
Frankly Dan, I'm not surprised.
We are fully imbued in a pandemic of Security Theater.
How about this, as my first concern:
1. Despite the overwhelming amount of useable guidance including regulatory documentation, NIST standards, best practices, etc. - Our collective corporate governance bodies continue to choose to ignore pleas for holistic security programs from those security professionals under their employ.
Message to CEOs - Stop the rhetoric and do the right thing!
Not surprising at all, Dan. How about this:
1. Despite the overwhelming amount of useable regulatory guidance, best practice documents, NIST Standards, and many other information security treasures, our corporate governance consistently chooses to ignore the pleas of security pracitioners under their employ to implement a holistic security program.
It's not that we don't know what to do - It's that we are not doing it. Message to all CEOs - Let's stop the rhetoric and do the right thing!
Dear Dan,
We are glad that Aon’s Global Risk Management Survey piqued your interest. To clarify, the top 10 risks cited in the survey were not dictated by Aon but determined solely by 551 responding organizations (representing the roles of risk managers, CROs, CFOs, treasurers and others) from 40 countries. IT was a core part of the survey. In fact, respondents ranked the following IT risks among others:
• Technology failure: Ranked 14
• Loss of data: Ranked 22
• Computer viruses/malicious codes: Ranked 25
As you mentioned in your article, Aon recognizes that IT is a crucial business risk and is currently developing an IT-focused survey called the Global Risk Technology Survey. The findings of this survey will be announced in October, and we will share them with you at that time
More information about the study may be found at www.aon.com/2009risksurvey. Please contact me with any questions – 312.755.3592.
Thank you,
Allyson
Business risk is much broader than just cyber or physical security risk.
Nice article
Post new comment