5 IT risks CIOs should be paranoid about

As a digital transformation leader and former CIO, I carry a healthy dose of paranoia. Call it survival instincts: Risks that can disrupt an organization from staying true to its mission and accomplishing its goals must constantly be surfaced, assessed, and either mitigated or managed.

Is the organization transforming fast enough? Are stakeholders struggling or unhappy? Are agile teams overly stressed with too many priorities? As a digital trailblazer, much of my paranoia involves issues that could derail transformation, but it’s the operational and security risks that truly keep me up at night.

Many of these issues fall into the category of outsider threats, where CIOs must invest in security best practices and establish monitoring and response plans to navigate issues should they materialize. While security risks are daunting, therapists remind us to avoid overly stressing out in areas outside our control. CIOs must make the best efforts to protect the organization and drive the investments and practices that minimize security risks.

But operational risk is a different matter, and having a healthy dose of paranoia about what may go wrong can be helpful. Many operational risks seem benign but they can materialize in a flash and put IT into firefighting mode. In many cases, asking enough “what if” questions and planning out a range of scenarios can help you differentiate low-impact risks from the higher operational ones worth devoting resources to minimize or remediate.

While many of following may seem to be low-risk operational issues, given time, growth, or other changes they can become unmanageable. CIOs should focus on these five risks and seek remediations before they become impactful problems. 

1. Mounting technical debt from mission-critical systems

CIOs have good reason to stress out over rising technical debt and the impact of supporting legacy systems past their end-of-life dates.

“Never waste a crisis” is what CIOs suggest to their peers when another organization’s struggles are in the news. For example, FAFSA’s launch, the United States new Free Application for Federal Student Aid (FAFSA) program, was delayed a year, creating havoc for many college students seeking federal tuition aid. While many blamed Congress, and there were underlying issues in managing the program, one primary root cause is that the redesign required overhauling more than 20 systems, some of which had not been updated in nearly 50 years.

This included systems that, developed in Cobol, connected private information from a “dizzying number of agencies” — which is why the Government Accountability Office in 2019 flagged it as among the 10 systems most in need of modernization.

“Legacy hardware systems are a growing problem that necessitates prompt action,” says Bill Murphy, director of security and compliance at LeanTaaS. “As these systems age, employers face difficulties in securing replacement hardware and recruiting personnel with the requisite skills for maintenance. Neglecting to address technical debt in a timely manner can lead to catastrophic consequences.”

One question CIOs need to consider today is whether code-generating AIs in software development are contributing to code-level technical debt. Alternatively, there’s the opportunity to use code copilots or gen AI low-code capabilities to simplify and reduce code.

“Businesses rely heavily on software for innovation and competition, which tends to be riddled with bad-quality code, leading to mounting technical debt,” says Andrea Malagodi, CIO of Sonar. “ AI risks worsening this problem by not prioritizing quality because, just like human output, it produces code that has security, reliability, and maintainability issues.”

CIOs sitting on mounting technical debt must turn paranoia into action plans that communicate today’s problems and tomorrow’s risks. One approach is to define and seek agreement of non-negotiables with the board and executive committee, outlining criteria of when upgrading legacy systems must be prioritized above other business objectives. 

2. Team stress and burnout

Stress and burnout are serious issues CIOs should be concerned about for themselves, teammates, and colleagues. For example, in the 2024 CISO Burnout Report, 80% of CISOs classify themselves as “highly stressed,” 63% say they receive little to no support managing their roles, and 50% report losing team members because of workplace stress.

Stress and burnout in security roles are known issues because of the hours tied to these roles and the intense pressure to recover from security issues while minimizing business impact. But devsecops roles are also stressful when teams feel pressure to deliver capabilities, resolve defects, and keep up with the latest technologies.

Now, add data, ML, and AI to the areas driving stress across the organization. In the Data Connectivity report, two-thirds of IT workers report being overwhelmed by the number of tech resources required to access the data needed to do their work, and 81% of them believe the same holds true for other employees in their organization.

CIOs should be drivers of change — which can create stress — while taking proactive and ongoing steps to reduce stress in their organization and across the company. The risks of burnout mount because of higher business expectations of delivering new technology capabilities, leading change management activities, and ensuring systems are operational. CIOs should promote ways to disconnect and reduce stress, such as improving communications, simplifying operations, and setting realistic objectives.

3. Monitoring practices that kill IT culture

Regarding stress from IT operations, one clear area for CIOs to focus on is monitoring services, alerting on application performance issues, and meeting service level objectives (SLOs). On the one hand, IT operations should be paranoid about whether there is sufficient monitoring and automation to ensure systems are performing well without end-users escalating issues and executive stakeholders voicing frustrations. On the other hand, having too many monitoring tools, thousands of alerts, and ill-defined SLOs creates a culture of pervasive IT incident firefighting.   

“Engineering teams are wasting precious time chasing alerts,” suggests Asaf Yigal, co-founder and CTO of Logz.io. “CIOs need to set goals to ensure that the focus is on application and infrastructure errors with a direct impact on the bottom line, and these are the alerts that should rise to the top for immediate attention.”

As a CIO, I feared having an IT outage reported to me at the executive meeting that monitoring tools didn’t capture and automations failed to remediate. I was also concerned about the increasing percentage of time IT devoted to operations, which diminished efforts toward innovation and transformation.

CIOs should use these indicators of when the paranoia over operations requires action:

• Employees report many system performance issues that monitoring should capture.
• Network operations centers (NOCs) and site reliability engineers (SREs) are responding to increasing alerts, and the mean time to recovery (MTTR) from these issues is increasing.
• Executives are reluctant to invest in innovation or collaborate with IT because the perception or reality is that IT systems aren’t performing well.

CIOs facing a growing IT landscape of monitoring tools and alerts may want to investigate AIops solutions, which help centralize observability data and use machine learning to correlate the high volumes of systems alerts into a smaller number of manageable incidents. 

4. Third-party data breaches

The CIO’s AI strategies and objectives in driving a data-driven organization result in the addition of many third-party partners, solutions, and SaaS tools. Security and data governance is a growing challenge, and 61% of companies reported a third-party data breach or security incident, a 49% increase over the last year, according to The 2024 Third-Party Risk Management Study.

“Be paranoid about third-party data breaches and security incidents,” warns Brad Hibbert, COO and chief strategy officer at Prevalent. “To reduce the risk of an impactful third-party breach, automate your third-party risk management processes around unified internal controls assessments and continuous cyber monitoring, remediate findings, and leverage new AI tools to simplify workflows and risk analysis.”

Given the growing number of systems hosting enterprise data, the accelerating pace of changes to them, and the frequent policy changes that SaaS providers make to their terms of service, CIOs have every right to be paranoid. GenAI is a new catalyst, and 54% of workers say they rely on AI tools, while 51% have managers that encourage AI usage, according to the AI at work pulse survey. In many organizations, the velocity to add SaaS and genAI tools is outpacing IT, infosec, and data governance efforts. Meanwhile, organizations are managing the risks of just one-third of their vendors, according to the third-party risk management study.

“When considering the growing number of global third parties organizations need to collaborate with, protecting the perimeter with traditional security methods becomes ineffective the moment the data leaves the enterprise,” says Vishal Gupta, CEO & co-founder of Seclore. “Protecting-the-network-perimeter method of security is no longer enough, and security teams must instead focus on taking a proactive data-centric approach to security by placing the protection around the data itself.”

I often cite the Superman proverb, “With great power comes greater responsibility,” when discussing shadow IT and defining governance on citizen data science with business leaders. Many want all the benefits from analytics and machine learning but are slow to adopt proactive data governance. Add the pursuit of generative AI copilots to the mix, and CIOs have even more reason to double down on data governance before today’s paranoia becomes tomorrow’s business crisis.

5. Mounting cloud debt

Over the past decade, CIOs have transformed IT infrastructure from data centers to hybrid clouds and multiclouds while using devops automations to empower agile development and data science teams to self-serve infrastructure needs. According to the June 2024 Cloud Computing Statistics from AAG, 89% of businesses report using multicloud solutions, and 82% report that managing cloud spend has become a top priority.

Robin Roacho, lead FinOps financial analyst at SADA, says, “CIOs should be mindful of increasing cloud costs without clear justification,” and recommends:

• When establishing cost ownership, ensure that resources are labeled and tagged.
• Confirm that the financial models accurately explain budget-to-actual variances.
• Foster methodologies where existing workloads are reviewed for optimization and modernization.
• Create or adapt an alerting system when unexpected spending occurs.

AI workloads create additional consumption, especially for organizations developing large language model (LLM) capabilities. For example, one benchmark reports that hosting the LLM Falcon 180B on the default instance recommended by AWS would cost at least USD$23,000 per month.

While public clouds report the near-term cloud computing costs and CIOs can deploy FinOps best practices to govern and manage cloud computing costs, the carbon impact is another challenge to consider.

Lu Zhang, founder and managing partner of Fusion Fund, shares that AI technologies consumed approximately 460 terawatt-hours of electricity in 2022. Zhang says, “Such figures underscore a growing concern that must be addressed if AI is to be part of a sustainable future. Looking forward, the continuous improvement of AI algorithms and integrating renewable energy sources into data centers are vital.”

Mahesh Juttiyavar, CIO of Mastek,  recommends, “With FinOps, we prevent cloud cost surprises while upholding ESG principles for a sustainable and responsible IT future. This holistic strategy ensures resilience and long-term success.”

When we consider the technical debt inherited by today’s CIOs, they are the byproduct of rational business decisions by their predecessors and the struggle to govern and manage their longer-term impacts. Today, short-term thinking around stressful cultures, data breaches, IT operational demands, and cloud infrastructure consumption can become the next frontier of new crises. CIOs should be paranoid about these mounting risks and l balance speed, agility, and innovation with prudent risk management practices.