Acuity Risk Management

Cyber Risk: A CIO Perspective on Digital Transformation

Guest blog by Philip Clayson


Digital cyber risk in an increasingly digital landscape is a topic everyone should be intimate with, and yet few people are.  The mundanity of the management of risk is often displaced by the need to deliver transformation, accelerate product innovation or simply deliver the numbers. How then can we as business leaders, reduce the overhead of Digital Cyber Risk, with modest levels of time and financial investment, and adopt modern technology principles, without creating a cottage industry around it, and do it quickly, while also doing our day job.

While the entire executive team is responsible for the successful digital transformation of the business, it is the CIO, CTO and technology leadership team that serve as the bridge connecting IT with the business. The CISO, CRO and CIO must ensure that appropriate risk management is embedded into digital transformation, whether B2B or B2C, but especially if there is a Critical National Infrastructure component to a company’s operations.

In the digital economy, the management of risk, including cyber and physical security must be an integral part of business processes, not an afterthought or add-on. Risk cannot be viewed as a defensive investment with limited (if any) ROI, but instead must be considered a foundational element of any business model.

Unfortunately, too often risk management and cyber security is seen as overhead rather than an enabler of success. Who had a worldwide pandemic on their risk tracker? Most good CIOs know all too well where their risks exist and are tasked with not only protecting the business from harm, but also convincing the rest of the executive team to invest in remediation programmes they often barely understand.

So, how does a CIO balance the need for executive education, including of peers and seniors, with successful and agile digital transformation to drive business performance, against the risk of a myriad of threats and attacks as all organizations continue to expand their digital footprint. The expansion of this threat landscape becomes more complex and unpredictable as digital channels and solutions become ubiquitous.

The resulting shift in compliance, regulation and risk driven by this digitisation will require new thinking as old processes will no longer be sufficient, and scale will dwarf anything we have seen to date, especially for example, for international B2C operations. In industries like retail, travel, energy and food, where margins are notoriously thin, the problem of effectively investing in risk mitigations is even more pronounced, and risk management investments are harder to justify.

To put some scale to this challenge, by 2022, it is expected that $1.97 trillion will be spent on the digital transformation of business (source: IDC). Over 60 percent of global GDP will be digitized with growth in every industry driven by digitally enhanced offerings.

So it is incumbent on all business leaders, but perhaps technology leaders will need to lead the way to find cost effective answers to this digital transformation challenge. Solutions that allow us to be compliant yet adaptable, agile yet controlled, and governed but successful.

In my CIO and CTO roles to date, I have worked with many market providers of risk management solutions, and with many colleagues who aim to help the c-suite, in some cases of large FTSE businesses, to understand and manage risk.

So often, the articulation of risk is poor, “it will break and it will be a disaster” is not an uncommon statement in those who understand the impact of the risk operationally but cannot quantify it in commercial business terms (in revenue or profit), or compliance and regulatory terms, or reputational damage terms.

How then do we remove the mundanity of risk management, especially cyber risk, as we grow our digital footprints often on legacy IT, avoiding the need to invest heavily to do so.

In short, there are many questions to answer as you plot a course to success.

Questions of importance include:

  • How does a CIO balance the need for successful and agile digital transformation to drive business performance against the risk of cyber threats and attacks?
  • How do you get an entire team motivated around risk, alongside, but not instead of, other competing priorities?
  • How do you keep the overheads (money and time) to deliver effective risk management, in proportion to the size, scale and operating environment of your business?
  • What are the most important considerations in building-out a self-sustaining but low footprint risk management programme in your business?

The answer to these questions, and similar questions, form the corner stone to ensuring any digital transformation has risk built-in, and that the risk component is just one component of inspiring technology teams to engage quickly to create, implement and operationalise transformation and deliver strategy in business critical, time and cost sensitive environments.

Having led multiple successful transformation programmes, where digital cyber risk, or risk with critical national infrastructure, or both, is a key component, I am often asked “where and how do we start?”

This article opens our thought processes ahead of a webinar on the subject with Acuity Risk Management CEO Simon Marvell, to discuss why including risk, particularly cyber risk, is one of the most fundamental elements of a digital transformation strategy.

Simon and I have worked together several times and we share a common view of the challenges, and some of the answers to the questions posed above, and I am pleased to be able to share my thoughts on this webinar. 

View the Cyber Risk: A CIO perspective on digital transformation webinar on-demand.