Join Shropshire's Assistant Director of Transformation as he shares his experience of getting started with transformation and pitfalls to avoid.

Cyber risk (4/5) – Where to start cyber planning

Part four of the Cyber Risk report

Authors and contributors: Jos Creese, Martin Ferguson

Starting a cyber improvement plan can seem a daunting prospect for an IT manager. There will be a range of competing pressures, from legacy IT constraints to the need to contain the risks inherent in the new technologies frequently demanded by digital transformation programmes.

There may also be challenges in terms of justifying increasing spend in cyber insurance and protection. Many IT leaders feel trapped in a conundrum of not wanting to be a barrier to the organisation taking advantage of new technology, worrying that unless the cyber risks are understood and managed, they could have disastrous consequences and IT security competence would be called into question.

But it need not feel lonely for the CIO or Head of IT. Everyone has an interest in good cyber protection and, as previous reports in this series have indicated, the responsibility for striking the balance between cyber protection measures and technology opportunities lies as much with service management as it does with IT.

It is essential therefore, for the IT leader in a council to help business colleagues to understand cyber risks and how responsibilities for their management can be identified and assigned. This is the starting point for justifying where investments and changes might be needed in the face of a changing landscape of IT threats.

This is best achieved with a positive stance on cyber as an opportunity to enable digital change, rather than as a threat or barrier to IT innovation, because of the perceived risk. It also requires IT leaders to be able to communicate technology risks and opportunity in terms that business colleagues outside IT can understand and support.

Publications in this series: