How CIOs Can Teach Technology Risk to CEOs: A Mini-Guide

The 2017 CEO Survey by Gartner found that the corporate leaders rank profit growth as their #1 goal, naturally, but ranked technology-driven business change as #2. Forty-two percent call their businesses “digital first”. Yet 53% of those surveyed could not name a clear metric for digital success.

All this is opportunity knocking for CIOs, says Gartner:

“CEOs need leaders to step up to explore and shape the digital business future…Given that technology creates the vortex of today’s disruption, progressive CIOs have a great opportunity to step up and exemplify the new leadership traits that CEOs seek.”

As CIOs well know, more investment in technology should be paired with commensurate investment in technology risk management.  But that message isn’t top of mind for CEOs, Gartner researchers found.

And that points out the CIO’s challenge in “stepping up”: How to present technology as an agent of growth, while not sounding overly cautious about technology risk.  Read the following mini-guide to position yourself with your CEO.

An Executive’s Guide to Cyber Risk Economics

Start here, definitely. Jack Jones (co-founder and EVP of RiskLens) translates security concepts into business concepts.

As Jack writes

“Boards of directors or senior executives are weary of heat maps and other vague sources of risk intelligence. They want to understand cyber risk in financial terms and ensure business-aligned decisions are made regarding budgeting, prioritization, resource allocation, etc.”

Jack presents the basics of “quantification”, expressing technology risk in financial terms that CEOs understand.

Cyber Attacks Hit the Bottom Line in 2017

If you need a quick consciousness-raiser, this article covers the record this year for big companies crippled by surprise cyber attacks and – CEOs take notice – compelled to issue warnings that their financials would be materially affected by the resulting losses.

Tying Risk Reporting and Metrics to Your Company’s Goals

RiskLens’ Chief Technology Officer Bryan Smith writes that, above all, “business leaders need risk reporting they can relate to and is relevant to their goals.” Traditional risk metrics coming out of the CIO’s office, counts of vulnerabilities, for instance, won’t cut it; risks need to be tied to lost productivity or other metrics that relate to the CEO’s priorities.

CISOs and Boards Are Far Apart (But Can Close the Gap)

This survey found that communication styles were the big impediment separating IT executives and Board members (and the issues are the same for CEOs). Skip to the end of the post for a list of communication tactics helpful to CIOs, such as “keep it simple and interesting”, “provide pointed evidence” and “show your plan and progress”.

Definitions: Cyber Risk vs. Technology Risk. What’s the Difference?

CIOs should make some critical distinctions to CEOs when discussing types of risk, risk response, and organizational structure.  Most importantly, CIOs should relate tech risk to overall operational risk for the organization, and be prepared to report on risk management in terms consistent with reporting on the non-technology side of the house.

Read more:

5 Questions Boards Should Ask About Cyber Risk [Infographic]

Talking Cyber Risk Analysis to Skeptical Executives