CIOs are often distracted by their efforts to keep up with specific regulations according to Gartner, Inc.
“CIOs must stop being rule followers who allow compliance to dominate business decision making and become risk leaders who proactively address the most severe threats to their enterprises,” John A. Wheeler, research director at Gartner, was quoted in a press release as saying.
Based on a report titled: “Compliance Is No Longer a Primary Driver for IT Risk and Security,” Wheeler said compliance regulations should no longer be the driving consideration of CIOs who implement “mandated controls regardless of the anticipated risk severity or impact” to their organization.
He said organizations need to create specific programs around the risks unique to the business. By taking this approach organizations are relying on their own assessments to guide their implementation of controls. Approaching it as risk-management exercise compliance would be the natural outcome.
“If CIOs are managing their risks effectively, their compliance requirements will be met, and not the other way round,” added Wheeler.
CIOs need to proactively create plans with the proper controls in place to mitigate risk and then map the compliance requirements back to the controls. Then, he said, a defensible justification should be made.