CIOIN

Who has the best shot at mitigating risk? Who is best qualified to shoulder the responsibility for owning risk?

Only when you begin to think of this from a risk perspective you begin to see that the IT industry, government and the media have all delegated the responsibility for consumer IT security to the individual. And you begin to see that perhaps that strategic decision has become completely outdated and therefore, whacked.

We're starting to see some leakage around this absurd thinking. ISPs are beginning to give away security software with their service. This might seem like a waste of money since most new computers these days come pre-loaded with security software programs. But from a risk perspective, the cost to the ISP becomes trivial. Unprotected computers heave spam on customers and other ISPs, clog the pipes, ruin customer satisfaction and make the ISP the highway for increasingly serious criminal activity.

ISPs are much better equipped to shoulder the responsibility for mitigating the risk, too, because they can define and enforce the default. And the uniformity of the software across customers means the ISP has better knowledge of the impact of the software on customers and its network. The ISP will use its economic muscle to demand improvements in the software that consumers are too ignorant, powerless or complacent to contemplate.

At the organization level, think of IT security and you think about a cyber proof vest, shielding the company from all outsiders. The early threats from viruses and website graffiti taught business executives to think of security that way. Yet from a risk perspective, this is hopelessly incomplete. The risk was, and is, in the data. Now companies are madly encrypting all their data in an attempt to keep it from walking out the door in a laptop or thumb drive.

But this second wave of IT security has led to a disastrous perception problem: the general sense that the first generation of IT security failed. All that money invested in the perimeter didn't protect companies and now they need to spend a lot more.

If you elevate the discussion to risk, you immediately see that it's not a failure of the IT organization at all. It's a failure of organizations like TJX and most government agencies to consider risk from a more all encompassing perspective. Don't you think that a CIO somewhere argued for encrypting data back in the day when perimeter security was the emphasis of most companies? That discussion would have ended quickly because encryption is expensive and complex. Few executive teams would have felt compelled to spend the extra money when perimeter security seemed to be working.

Risk Management

So, the failure today is not with IT, but with businesses unwilling to quantify the risk they face. And there are people trained to cut through the irrationality of human

perceptions about risk. They're called actuarials, and they work for big insurance companies that are much more capable of shouldering security risk than CIOs and  CEOs. Insurance companies could exert pressure for protective measures more broadly and with better accuracy than individual companies and certainly better than CIOs whose companies have negligently scoped the risk of loss of customer information and property down to an issue of IT security.

You can't leave this in the hands of the CIO or within the IT budget any more than you can leave it in the hands of consumers. With law enforcement agencies unable to deal with the sudden globalization of crime, we have to stop kidding ourselves that this has much of anything to do with IT anymore. CIO