This year saw emerging risks posed by AI, disastrous outages like the CrowdStrike incident, and surmounting software supply chain frailties, as well as the risk of cyberattacks and quantum computing breaking today’s most advanced encryption algorithms. In today’s uncertain climate, all businesses, regardless of size, are prone to disruption.
“Over the past year, the focus on risk management has evolved significantly,” says Meerah Rajavel, CIO of Palo Alto Networks. “With the increasing sophistication of cyber threats and the accelerated pace of digital transformation, organizations must be more proactive in identifying and mitigating risks.”
To respond, CIOs are doubling down on organizational resilience. “It’s a business imperative,” says Juan Perez, CIO of Salesforce. “CIOs must tie resilience investments to tangible outcomes like data protection, regulatory compliance, and AI readiness.” Resilience frameworks have measurable ROI, but they require a holistic, platform-based approach to curtail threats and guide the safe use of AI, he adds.
Others agree the evolving threat landscape is turning heads and necessitating novel tactics. “Risk management is getting more board and executive attention, and even fairly modern risk frameworks are proving inadequate,” adds Ralph Loura, former CIO and SVP at Lumentum, Hewlett-Packard, and The Clorox Company, among others. “CIOs and CISOs must stay hyper-vigilant and aggressive in adopting new frameworks and tools.”
CIOs are facing these challenges head-on by designing integrated resilience strategies to future-proof their organizations. This involves establishing guardrails around AI, performing disaster training exercises, mitigating third-party threats, and more. However, CIOs must still demonstrate measurable outcomes and communicate these imperatives to senior leadership to secure investment.
Why risk management is vital
Risks in enterprise IT have significantly evolved in the past year, demanding an emphasis on short- and long-term resilience plans spanning multiple areas. Of these, AI is at the top of many CIOs’ minds. “AI is a powerful tool that can drive innovation, improve decision-making, and streamline operations,” says Rajavel. “However, as AI is deeply integrated into business processes, it also opens up new attack surfaces and vulnerabilities.” Reinforcing this claim, one in four IT executives from the 2023 AI Priorities Study believe their organization is moving too fast when it comes to deploying gen AI.
AI, after all, brings novel risks, necessitating more assessments and clearer boundaries for AI agents. According to Salesforce’s Perez, even though AI brings much opportunity, it also introduces complexity for CIOs, including security, governance, and compliance considerations. “It’s a CIO’s job to prioritize data privacy and ethical use, and ensure innovation doesn’t outpace safeguards,” he says. “It reminds me of the early days of cybersecurity when rigorous assessments ensured software met company standards. AI assessments will follow suit.”
Another undeniable factor is the unpredictability of global events. “The pandemic has further underscored the importance of resilience, prompting CIOs to prioritize not only immediate risk management but also long-term resilience strategies,” says Rajavel. “This shift ensures businesses can withstand disruptions and continue operations seamlessly, maintaining trust and stability in uncertain times.”
Furthermore, the software supply chain is also under increasing threat. “This year, security and tech leaders have increased their focus on risks associated with third-party vendors and supply chain stakeholders,” says Dave Stapleton, CISO at ProcessUnity. These risks primarily stem from vulnerable code and outages originating from third-party dependencies.
To his point, Sonatype’s 10th Annual State of the Software Supply Chain Report found a 156% increase in malicious packages year-over-year. And while 99% of packages have updated versions available, 80% of application dependencies remain un-upgraded for over a year. Likely as a result, third-party risk management (TPRM) and supply chain risk management (SCRM) markets are estimated to grow at a CAGR of 10 to 15% in the coming years.
In addition to these risks, data breaches, ransomware attacks, and unexpected global outages can cause serious damage to mission-critical initiatives, no matter the company size or vertical, says Arvind Nithrakashyap, co-founder and CTO at cybersecurity company Rubrik. “To address them, it’s clear that organizations should focus on cyber resilience.”
Future-proofing to enhance resilience
Just like homeowners are encouraged to have a disaster preparedness kit, organizations should similarly plan for disasters and practice how to respond. “If they haven’t already, CIOs should prioritize disaster scenario planning,” says Nithrakashyap. Part of this involves having a robust data security strategy and remediation protocols when an incident occurs.
When organizations face unexpected downtime, IT and business leaders should view it as a dress rehearsal for a large-scale cyberattack, he adds. “The conversation shouldn’t just be about prevention, but instead focus on fostering resiliency by having the right technology and processes in place to limit damage when the inevitable happens.”
To ward off incoming AI risks, CIOs see an integrated security strategy as necessary to enhance IT robustness. “Considering that over half of tech providers plan to allocate R&D and investments toward AI and automation through 2026, building IT resiliency is critical,” says Rajavel. “CIOs need to align operations with these new use cases while ensuring their teams can support enterprise-wide digital transformations.”
Resiliency planning will also require staying up to date on new NIST security frameworks and maintaining continual collaboration with security leadership. “No one will succeed as a lone wolf here,” says Loura, who encourages CIOs to network with peers and security vendors, and proactively approach change as the threat landscape evolves.
How CIOs are taking action
CIOs are advocating for specific initiatives to enhance resilience within their organizations. For instance, Salesforce’s internal AI Council, composed of cross-functional leaders, convenes to discuss AI investments and ethical considerations. “The Council meets regularly to assess business needs, and employees can pitch new AI ideas for consideration,” says Perez, who adds this is helping Salesforce balance innovation with responsible AI tooling adoption.
Other CIOs have doubled down on transforming security operations and dogfooding tools to enhance visibility into potential risks. Rajavel shares that Palo Alto Networks has undertaken a significant resilience-focused initiative by transforming its security operations center (SOC) with continual threat detection bolstered by ML.
“Our SOC is dedicated to protecting our own employees and infrastructure, and is responsible for threat monitoring, threat hunting, and incident response, which safeguards thousands of users, hundreds of thousands of server endpoints, and a vast cloud and on-premise infrastructure,” says Rajavel. These improvements are helping to handle urgent incidents with automated alerts, and enable analysts to perform more proactive threat hunting.
Beyond threat detection, it’s essential to weigh the impact of potential disruptions. Stapleton shares that ProcessUnity is conducting annual business impact reviews with executive and senior leadership teams, providing insight into critical business processes, HR, and technologies. “This process forces us to explore the likelihood of different types of disruptions, their potential impact on our organization and customers, and identify any steps we can take to minimize the resultant risk,” he says.
Internally at Rubrik, they’ve adopted a comprehensive data security strategy where they constantly monitor and ensure they follow secure coding practices and track sensitive information, as well as access to that information. “We’ve also established clear processes to follow if we’re ever attacked,” says Nithrakashyap.
Key strategies for resilience
A handful of emerging approaches and technologies are helping CIOs deliver better risk mitigation and resilience measures. Palo Alto Networks’ Rajavel recommends developing an integrated security strategy with a consolidated security platform and being outcome-driven. “Taking a platform-based approach reduces complexity, enabling CIOs to maintain a strong security posture without sacrificing speed or agility,” she says.
And Nithrakashyap highlights data security posture management (DSPM), which he describes as a holistic approach to assessing, monitoring, and managing a business’ cybersecurity readiness and effectiveness by safeguarding its data assets. “By implementing DPSM, organizations can focus on their data priorities, knowing where all their data lives and how to secure it,” he says. This can assist CIOs in tackling data governance issues, he adds.
CIOs encourage constant monitoring and an always-on approach to improve security best practices, especially when dealing with sensitive information. According to Loura, one key area is ensuring multi-factor and multi-person validation of material changes to certain sensitive records, like bank accounts or addresses. He also recommends specific techniques such as data masking, monitoring, automatic patching, defense-in-depth approaches, and recovery strategies.
Measuring the benefits
A strong resilience strategy brings a handful of benefits, one of which is improved productivity, says Rajavel. “By having robust contingency plans and backup systems in place, organizations can minimize disruptions and maintain productivity, freeing up teams to focus on innovation and growth,” she says. Proactive risk management also helps lessen the likelihood of breaches, she adds, helping to safeguard sensitive information and instill trust in customers and stakeholders.
Resilience tactics can also correlate individual failures to direct financial repercussions. “Among other things, resilience practices help to identify single or concentrated points of failure, understand potential financial impacts related to outages and disruptions, and establish and test recovery capabilities,” says Stapleton. The insight garnered from these practices can inform budgeting prioritizations and influence planning around business partnerships and product trajectories.
CIOs can measure the benefits of resilience in various ways, too. Perez highlights metrics like reduced security incidents, compliance adherence, and improvements in data governance. He adds that by monitoring data access patterns, CIOs can reveal whether governance policies are effective or need refinement. “These metrics not only safeguard operations, they enable organizations to pivot quickly — whether responding to market shifts or seizing new AI opportunities,” he says.
Making the business case
In order to advocate for investments into resilience, it’s important to quantify the risks and demonstrate why resilience is integral for stability and long-term growth. This is where the CIO can make a big impact. “CIOs should not only have a seat at the table when it comes to a company’s strategic direction, but also drive the conversation on how resilience can unlock growth for the business and improve the employee experience,” says Rajavel.
For example, investing in resilience streamlines detection and recovery time, which can minimize downtimes or avert disruptions altogether. Rajavel specifically recommends zoning in on the potential impacts of disruptions on operations, revenue, and reputation, and clearly demonstrate the costs saved. “Showcasing tangible benefits, such as reduced downtime, cost savings from avoided breaches, and increased operational efficiency makes a compelling argument.”
Others agree that making the case for resilience hinges on quantifying clear ROI associated with reduced costs. “Like any risk, look at the likelihood of occurrence, strategies to mitigate, isolate, or limit the blast radius when incidents do occur, and then you can estimate probable impact costs and use that as an envelope to invest behind,” says Loura. “Investments that improve those factors lower impact costs, and thus an ROI can be created.”
Investment in resilience is an investment in business continuity. Therefore, to make the case for it, CIOs should emphasize what it brings to remediation efforts. “A digitally resilient company should be able to recover from a cyberattack or outage in minutes, not hours or days,” says Nithrakashyap. “By making cyber resilience a priority, IT and security leaders can improve their incident response times, reduce overall business disruption, and prevent a hit on the company’s bottom line.”
Of course, the argument for resilience is straightforward for businesses that must comply with regulations. Stapleton cites the Digital Operational Resilience Act (DORA) as one example. The EU regulation, which will commence in early 2025, includes baseline resiliency requirements like supply chain audits, business continuity planning, internal training, and testing against common threats. Beyond compliance, he highlights the potential loss of revenue, outage-based SLAs or even client churn, and the loss of reputation after a poorly managed disruption as key business drivers for resilience efforts.
Prepping for worst-case scenarios
Resilience is centered around formulating proactive measures to manage risk, helping to, in effect, predict the unpredictable. “A strong resilience strategy helps your team adopt a proactive posture rather than a reactive one,” says Rajavel. “This allows you and your teams to stay ahead of potential threats, ensuring business continuity.”
In today’s interconnected digital strata, small outages could have large-scale consequences. As such, having a well-oiled response for worst-case scenarios is becoming increasingly important to keep the lights on. “IT and security leaders must continue to work together to create trust and reliability in digital systems to prepare for the worst — and be able to get their business back up and running if the worst happens,” says Nithrakashyap.