Cingular Wireless is based nowhere near Las Vegas or Atlantic City, N.J. Still, Thaddeus Arroyo, Cingulars CIO, spends a fair amount of his time every day making bets.
Some of his gambles are no-brainers. Its a sure thing that hackers will attack Cingulars network, so Arroyo spends money on firewalls. Odds are that a server with important data is bound to crash someday, so Arroyo provides resources for data backups and recovery. Any CIO worth his or her salt can hedge against risks like those.
Now comes the next generation of IT risks—ones that leave Arroyo and other IT executives confronting some pretty unclear odds.
How, for example, does a company calculate whether it should use ultrasecure systems or more flexible Internet technologies that let business grow quickly? Whats the likelihood that terrorists or hurricanes will destroy your data center or that you should maintain a mirror site elsewhere? How much should you curb employee access to IT systems to comply with the Sarbanes-Oxley Act?
Welcome to risk management, CIO style.
“Were becoming more reliant on technologies” across all business functions, Arroyo said. He said he worries about identity theft and how the theft of data from even a few of Atlanta-based Cingulars 52 million subscribers could ruin the companys reputation with all of them. “Therefore, the risks in the environment and managing them become more important to our business,” he said.
Typically, risk management measures the likelihood that some risk might happen and the damage that would follow if it did happen. From there, a company can decide how much money it should spend to prevent that risk or simply to accept the risk and face the consequences later.
For example, a company with a distribution center in a hurricane zone might decide to stock a backup center elsewhere. Then again, a company might simply truck in supplies from elsewhere if hurricanes are rare.
“The whole thing has changed dramatically,” said Elliott Zember, a former CIO in the financial services industry, who now works at Fox Technologies Inc., a maker of access management software based in Palo Alto, Calif. Prior to SarbOx and the Sept. 11, 2001, attacks, Zember said risk management at public companies “was something the CIO might be involved in, probably only in reaction to a request from above.”
Richard Reeder, CIO of the State University of New Yorks Stony Brook campus, said risk management “certainly takes more and more time and resources.” He said he worries about credit card information of students who pay for courses online, illegal downloads, system upgrades and much more.
“Thats money Id much rather use on improving technology for instruction and administrative processes,” Reeder said.
Security and IT risk management, rather than system maintenance, consumes at least 10 percent of his attention every day, Reeder estimated. “Now its part of the discussion in whatever you do,” he said.
Managing IT risks is still much more art than science—although some scientists and corporate thinkers are on the case. The best way to assess IT risk is to quantify the cost of various IT risks so that business executives know whether a certain solution is worth the expense. After all, commercial insurers can calculate the risk of a Category 4 hurricane destroying New Orleans. Why cant CIOs calculate the risk of, say, postponing a needed platform upgrade for two more quarters?
Risk assessment methodology
At the Massachusetts Institute of Technology, George Westerman wants to answer just that sort of question. As a research scientist at MITs Center for Information Systems Research, in Cambridge, Mass., Westerman said he wants to bring that same analytical discipline that insurance risk estimators use to the complexity of the modern corporate IT system.
“Its really a state-of-the-art management item,” Westerman said. “People have started to get a good, audit-based view of IT and understanding where the holes are that they need to fix. And some of them have started to put a risk-based prioritization there, so theyre working on the risks that matter most to the firm. But very few firms have reached the point where they can measure this.”
At Arch Chemicals Inc., in Norwalk, Conn., Vice President of IT Al Schmidt said he has tried to achieve that goal for the past three years. Using a risk-assessment methodology developed by the Government Accounting Office, Schmidt first developed a “threat library” for the $1.4 billion chemical wholesaler. He documented all possible risks along Archs supply chain and then played out various risk scenarios to gauge their severity.
Some of the questions Schmidt posed included “What would the consequence be in business terms?” and “Could the business absorb that?” Schmidt said he knew he had two choices for every IT risk: build security so strong as to make the risk impossible or mitigate the consequences so much that the risk would be harmless. “We had both levers at our disposal, and we used them,” he said.
Arroyo uses a similar approach at Cingular. Where possible, he said he puts specific numbers on the possible damage from an IT risk—say, the lost revenue from a virus knocking Cingulars subscribers off the network for an hour. Where a threat does not lend itself to financial measurement, Arroyo and his team describe potential damage as “small,” “medium” or “large.”
Arroyos worry about data privacy is one example of a qualitative IT risk. Online services are popular and convenient for customers, he said, but they also expose Cingular users to the threat of identity theft. In reality, the likelihood of thieves stealing data on all 52 million Cingular users is remote, but fraud against even a few could damage Cingulars reputation enormously. That all adds up to a “high” IT risk.
Regardless of how a company evaluates IT risks—financial data might be ultrasecret at a private business, for example, but public record at a government agency—many in corporate America say that the CIO should not make decisions about managing those risks on his own. IT systems now underlie almost all business operations, so any decisions about how to structure those systems will inevitably affect how the business operates overall.
“In many cases, higher-level executives want to delegate this to CIOs to manage,” Westerman said. “One thing Ive found … is that if IT executives are left to decide IT issues on their own, theyre going to make important business trade-offs they just arent informed to make.”
Stephen Foster, former chief information security officer at network equipment maker Avaya Inc., in Basking Ridge, N.J., and now a consultant, puts it even more bluntly. “CIOs are too busy. They have their own priorities; they have limited budgets; and their focus is on delivering technology, not delivering security,” Foster said. “I dont want technology people making serious, strategic, business-risk decisions.”
Matt Kelly is a freelance writer in Somerville, Mass. He can be reached at [email protected].
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.