Sunday, April 10, 2011

An internal billing scheme for IT risks

After meeting with a crowd of fellow hospital CISOs a few weeks ago, I had a sudden epiphany that the problem of billing IT risks inside a company is not just a peripheral one, but a primary one. And closely related to our inability to put figures on IT risks.

What about the idea of a CISO acting as an internal insurer for the IT service?

> Company board: regulates practices, if ever needed.
+----> CEO: checks correct operation.
+----------> CIO: acts as the customer of the insurance.
+----------> CISO: acts as the insurer.

The CISO would propose an offer made of:
  • Expensive insurance for inappropriately acquired or ill-maintained IT assets.
  • Cheaper insurance for IT assets that are acquired and maintained according to a set a constraints.

2 comments:

  1. Interesting. Politically possible ?

    ReplyDelete
  2. I tend to think this could be possible in two company configurations:
    - Those with "fashionable" management, who like to make it to the headlines.
    - Those with several services acting as IT providers (I'm thinking of medical machinery service for some reason but you could as well cite a company with a local IT team and a national one).
    In that latter case, the CISO-insurer would act also as a source for comparison data, earning support from the administration board.

    ReplyDelete

I can read French, English, German and Romanian, please feel free to write in whichever language you prefer.