Beyond the hype and hysteria in the press about cybersecurity threats, board members and senior executives are genuinely interested in the IT risks they currently face. This growing interest in IT risk is currently being driven by four consistent themes that we experience in our daily client interactions at Gartner.
1. Lack of understanding
Chief Information Officers and Chief Information Security Officers at many companies are just now beginning to have regular interactions with board members about IT risk. However, even when these interactions are happening, they are often missing the mark because the IT risks are not presented in a business context that offer board members an opportunity to decide and act. In our recent Global Risk Management Survey, we discovered that less than 35% of companies surveyed are integrating risk and performance data to influence IT and business unit decision making (see graphic below).
2. Increasing pressure to disclose technology risks
Market and industry regulators are pressing companies to be much more transparent in the disclosure of the technology risks they face. For example, the U.S. Securities and Exchange Commission issued guidance in 2011 that instructs public companies to disclose the following:
– Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences
– To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks
– Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences
– Risks related to cyber incidents that may remain undetected for an extended period
– Description of relevant insurance coverage
3. Lack of visibility into key business relationships with third-parties
As more companies look to improve the efficiency of their operations, the number of third-party relationships in the form of outsourcing arrangements or technology vendor contracts (i.e. cloud computing) have skyrocketed. This has increased the level of IT risk exponentially and drawn the focus of industry regulators. Just recently, the U.S. Office for the Comptroller of the Currency issued guidance to financial services companies regarding third-party risk management practices. Also, the U.S. Department of Health and Human Services just began enforcing new rules under the Health Insurance Portability and Accountability Act (HIPAA) requiring business associates of covered healthcare entities to comply with the act. So, businesses who provide services such as claims processing or medical records management on a third-party basis are now required to comply on behalf of the healthcare entity they serve. Efforts such as these require greater visibility into the risks associated with third-party technology assets.
4. Growing interconnection between technology and business risks
As my colleague Global Head of Research Peter Sondergaard stated in a recent blog post, “every business unit is a technology start-up.” We are now entering what Gartner calls the digital industrial economy. In this new economy, technology is becoming the driving force behind business innovation and competitive advantage. However, without a keen understanding of the risks inherent in the use of these new technologies, what may be the new business driver may also be its death knell.