Why the C-Suite Should Scorecard IT Risk

by

People love to create new things, and that deserves to be celebrated – it’s what makes us uniquely human. Innovation in technology helps move the way we live and work forward, but as we usher in the wave of the future, we must also keep a pulse on the risk exposure of our current systems and what we may be sacrificing in the name of progress.

As someone with CIO and IT leadership experience at established financial institutions like Deutsche Bank, Fannie Mae and many others, it’s not only my job to help incubate creative technologies to advance the firm’s business objectives – it’s also a big part of my remit to make sure new ideas and technologies don’t broaden our exposure to unnecessary risk.

Business leaders must ask themselves – is the innovation we’re driving sustainable? Are we inadvertently creating more opportunities for hackers to steal data? Is the investment we’re making today going to support the needs of tomorrow, or even jeopardize the stability of our systems today?

To answer these questions and ones like them, C-suite leaders should establish and consult an IT risk scorecard for their software systems and applications.

Establishing IT Risk Management as a Core Discipline

So, what should be prioritized in the broad scope of IT risk management? Decreasing the firm’s overall risk exposure is of course the number one priority, but this also includes aspects of application security, software performance and making sure our development teams are producing quality applications that can be supported and maintained over time.
Forrester_Data Risk Management

It’s easy to identify companies that don’t have a good handle on this – there are many in today’s world. In order to prevent software-related disasters, leadership must know as much as they can to safeguard as much as possible. Think of the MRI machine. We go to the doctor and get an MRI scan to understand health risks that are invisible to the naked eye, and with this valuable insight we make more informed decisions, often now in a preventive manner, about our health.

The 2017 Equifax breach is a great example. They didn’t employ a software risk scorecard, and as a result, their leadership was blind to issues in the structural quality and security of applications critical to their business operations. These unseen errors eventually reared their ugly head in the form of a breach that affected millions of U.S. consumers. And this is just one recent and well-known example amongst many.

Making IT risk management a core discipline – i.e. creating and monitoring an overall IT Risk Score – gives leadership real-time metrics to answer questions like: Where might our applications be unstable? Where are costs running off the rails, and why? Where are we vulnerable to cyberattacks?

There’s a lot to keep your eyes on when you’re large IT shop managing thousands of different systems, and Software Intelligence offers an easy, fast and automated means to keep tabs on software health, identify security violations and guarantee regulatory compliance for multi-tiered technologies.

Three Things Software Intelligence Tells You About IT Risk

With Software Intelligence, team leaders and line-of-business executives can have productive and fact-based conversations around things like software quality, application security and IT complexity. And each of these elements are important for their own reasons:

  • Software Quality – Poor software quality is the largest cause for expensive financial losses and infrastructure problems. As an infrastructure becomes more complex, applications should be simplified to better support business needs and avoid nine-digit defects.
  • Application Security – Today’s era of cyber risk requires a proactive and comprehensive approach. For the CIO’s office, this means designing security into applications from the beginning and focusing on high-priority violations like forbidden access to data, lack of input validation and back door access to mission-critical systems.
  • IT Complexity – Left unchecked, software complexity grows beyond control, rendering applications and portfolios overly costly to maintain and risky to modernize. Continuous analysis of complexity helps teams stay ahead of issues that could impact performance and prevent excess complexity from taking root.

Can IT Risk Management Live in Harmony with Innovation?

Focusing on IT risk management while supporting innovative software development may seem a lot like trying to blend oil and water, but I would argue that successfully merging the two is now the key to market disruption. Effective CIOs (and business leaders) should be able to effectively:

  1. Run what they have to prove they are reliable and resourceful.
  2. Understand risk exposure using Software Intelligence and take action accordingly.
  3. Drive new products and innovation at the appropriate speed using a systematic IT risk scorecard.

Leaders of large enterprise institutions have one of the biggest burdens here: striking the right balance between speed and stability. Overly complex or risky systems prevent companies from realizing the benefits of modern app dev, because they are plagued by service disruption due to clunky, cobbled together legacy architectures.

As they adopt Agile methods, collaborative DevOps teams are releasing new features at speed. But the danger here, is that many teams are either not Agile enough because they can’t establish confidence in the quality of their changes on aging and complex codebases – or, they are too focused on the speed at which they’re delivering. Just like a finely engineered German car racing down the Autobahn, developer teams must be able to rely on a solid “braking system” to slow down or change course when required: not knowing about the quality of one’s braking system will surely lead to a very slow and stressful drive. The more teams can manage software complexity, the faster they will be able to deliver in reality.

Everyone wants to be a visionary within their company. But for the C-suite to prove their effectiveness in the digital age, being able to manage existing technologies while investing in the new remains a challenge. Taking a good look at IT risk management – understanding technical debt, prioritizing technology investments and improving overall software quality – is the key to successfully navigating this modern day tight rope walk. 

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Frederic Veron
Frederic Veron CIO and Head of Safety and Soundness
Frederic is a tenured IT executive with extensive experience in the financial services and global technology consulting industries. Well versed in the challenges of IT service delivery and governance models, Frederic has led countless transformation and risk management programs to help companies complete the shift to fully digital business models.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|