Focus on IT security risk management, CIOs urged

Monday 12 August 2013

When chief information officers are planning IT risk and security measures, the need to ensure compliance with regulations should no longer be the primary consideration, it has been claimed.

According to Gartner, compliance is an outcome of a well-run risk management programme and, as such, should not dominate CIOs' decision making.

John A. Wheeler, research director at the IT analyst, said that by simply trying to keep up with individual compliance requirements, organisations become rule followers, rather than risk leaders.

"CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders, who proactively address the most severe threats to their enterprises," he stated.

“Organisations must change this reactive, check-the-box mindset and start viewing compliance as a risk."

Mr Wheeler claimed that if CIOs are managing their risks effectively, compliance requirements will be met, and not the other way round.

He called on IT leaders to create a formal and defensible programme of controls based on the specific situation and risks unique to their business.

“The rules and laws should then be mapped into the controls that have been proactively selected, and a defensible case should be made that the laws are being appropriately addressed," Mr Wheeler added.

Click here to find out about Microsoft IT security solutions.

Posted by Alex Boardman