Betting on Risk Management

Case Study: Companies are learning how to quantify value of investing in IT safeguards.

Cingular Wireless is based nowhere near Las Vegas or Atlantic City, N.J. Still, Thaddeus Arroyo, Cingulars CIO, spends a fair amount of his time every day making bets.

Some of his gambles are no-brainers. Its a sure thing that hackers will attack Cingulars network, so Arroyo spends money on firewalls. Odds are that a server with important data is bound to crash someday, so Arroyo provides resources for data backups and recovery. Any CIO worth his or her salt can hedge against risks like those.

Now comes the next generation of IT risks—ones that leave Arroyo and other IT executives confronting some pretty unclear odds.

How, for example, does a company calculate whether it should use ultrasecure systems or more flexible Internet technologies that let business grow quickly? Whats the likelihood that terrorists or hurricanes will destroy your data center or that you should maintain a mirror site elsewhere? How much should you curb employee access to IT systems to comply with the Sarbanes-Oxley Act?

Welcome to risk management, CIO style.

"Were becoming more reliant on technologies" across all business functions, Arroyo said. He said he worries about identity theft and how the theft of data from even a few of Atlanta-based Cingulars 52 million subscribers could ruin the companys reputation with all of them. "Therefore, the risks in the environment and managing them become more important to our business," he said.

Typically, risk management measures the likelihood that some risk might happen and the damage that would follow if it did happen. From there, a company can decide how much money it should spend to prevent that risk or simply to accept the risk and face the consequences later.

For example, a company with a distribution center in a hurricane zone might decide to stock a backup center elsewhere. Then again, a company might simply truck in supplies from elsewhere if hurricanes are rare.

"The whole thing has changed dramatically," said Elliott Zember, a former CIO in the financial services industry, who now works at Fox Technologies Inc., a maker of access management software based in Palo Alto, Calif. Prior to SarbOx and the Sept. 11, 2001, attacks, Zember said risk management at public companies "was something the CIO might be involved in, probably only in reaction to a request from above."

Richard Reeder, CIO of the State University of New Yorks Stony Brook campus, said risk management "certainly takes more and more time and resources." He said he worries about credit card information of students who pay for courses online, illegal downloads, system upgrades and much more.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"Thats money Id much rather use on improving technology for instruction and administrative processes," Reeder said.

Security and IT risk management, rather than system maintenance, consumes at least 10 percent of his attention every day, Reeder estimated. "Now its part of the discussion in whatever you do," he said.

Managing IT risks is still much more art than science—although some scientists and corporate thinkers are on the case. The best way to assess IT risk is to quantify the cost of various IT risks so that business executives know whether a certain solution is worth the expense. After all, commercial insurers can calculate the risk of a Category 4 hurricane destroying New Orleans. Why cant CIOs calculate the risk of, say, postponing a needed platform upgrade for two more quarters?

Next Page: Risk assessment methodology.