Selasa, 18 Maret 2008

CIO Magazine 20 Minute Miracles and Real Risks

I liked CIO Magazine's article 20 Things You Can Do In 20 Minutes to Be More Successful at Work by Stephanie Overby. Several excerpts follow.


  • Grab the annual 10-K reports that your top competitors have filed with the Securities and Exchange Commission and read the section called "Management's Discussion and Analysis." That's where the CEO (through corporate lawyers) describes what happened to the company in the past year, good and bad.

    By scanning that material, you can immediately get a better understanding of the competition.

  • Sit down right now and reschedule all your internal IT meetings for just 20 minutes...

    "There's only about 15 minutes to 30 minutes of true productivity in most meetings, even though meetings are typically set up for an hour," says Michael Hites, CIO of New Mexico State University, who once placed a 30-minute limit on all meetings. "The idea is that it forces you and your meeting buddies to prepare and focus." Hites found that shorter meetings were more effective and left more time to actually accomplish things.

    If you like that idea, consider this even more sweeping suggestion from Direct Energy CIO Kumud Kalia: Cancel all recurring meetings with your subordinate staff. "Ask them to come to you with major issues, not every little decision," Kalia advises.

  • Take your own company's 10-K and pay attention to the bad stuff that happened in the past year. Think about how technology affects such events, then figure out what you can do about them. For example, in its latest 10-K, Owens Corning, the $6.5 billion maker of construction materials, talks about how the decline in U.S. home building hurt sales. Could better business intelligence have predicted how steeply new construction would fall and have helped Owens prepare?

    Think also about how IT can mitigate the scary possibilities cited in the "risk factors" section.

  • Ask yourself if you're working toward something or just working.

  • [S]end an e-mail to your staff to encourage them to pick up on something new. And tell them they are expected to spend one day a month learning. Make it an official day on everyone's calendar...

    One no-cost way to do this is to encourage participation in computer user group meetings and industry associations.


Speaking of 10-K forms, I looked at the latest from Owens Corning, specifically the Risk Factors section. It reminded me that the idea of creating a "Chief Risk Officer" out of the ranks of the information security staff is generally a bad idea. Why? All of the risks that businesses care about have little to do with information or security. Here's what Owens Corning cites:

  • Downturns in residential and commercial construction activity or general business conditions could materially negatively impact our business and results of operations.

  • Our cost-reduction projects may not result in anticipated savings in operating costs.

  • Adverse weather conditions and the level of severe storms could materially negatively impact our results of operations.

  • We may be exposed to increases in costs of energy, materials and transportation and reductions in availability of materials and transportation, which could reduce our margins and harm our results of operations.

  • Our hedging activities to address energy price fluctuations may not be successful in offsetting future increases in those costs or may reduce or eliminate the benefits of any decreases in those costs.

  • And the list continues...


Do you see what I mean? At the top levels of business, risk is all about business. It has little or nothing to do with anything we in the information security space manage on a day-to-day basis. I'm fine with that. My major role is to protect my company, our users, and to the extent possible, our customers and peers from digital threats... without them worrying about it. My company makes money, and I try to keep us safe.

If you do aspire to be a CRO, work for a financial or insurance firm, get a MBA, and lead a business line after being a security person. The companies popularly cited as having CROs are all insurance and financial in nature. These industries internalize risk via financial calculations and models on a daily basis, but it's risks involving capital and not data.

0 komentar:

Posting Komentar