CIO risk management: Lessons from Southern Glazer's CIO
Steve Bronson, CIO of Southern Glazer's Wine & Spirits, explains how his team tackles AI, talent, operational and vendor risks to keep the business resilient.
CIOs face growing technology risks beyond cybersecurity. Key takeaways from Steve Bronson include the following:
Operational fragility: Architecture and governance reduce ecosystem risk.
Talent and skills: T-shaped teams and early development programs mitigate knowledge gaps.
AI risks: Manage model reliability, shadow AI, regulatory exposure and agent protocols.
Vendor and platform dependencies: Microservices preserve flexibility and differentiation.
Supply chain: Redundancy and humans-in-the-loop maintain resilience.
CIOs face a growing set of technology risks that go far beyond cybersecurity.
While cyber threats remain the foundation of enterprise risk management, IT leaders must also navigate operational fragility, AI uncertainty, talent constraints and platform dependencies -- all of which worsen over time if CIOs ignore them. Sprawling SaaS ecosystems, vendor lock-in and responsible AI adoption are just a few of the challenges that require thoughtful governance and foresight. The technology decisions CIOs make today can have ripple effects years down the line, underscoring the importance of operational resilience and strategic flexibility.
In this Q&A, Steve Bronson, CIO of Southern Glazer's Wine & Spirits, shares how his organization approaches non-cyber risks. He offers practical insights for IT leaders tasked with balancing innovation, reliability and long-term enterprise health.
Editor's note: The following transcript was edited for length and clarity.
What categories of risk concern you the most today, aside from cybersecurity?
Steve Bronson: AI, tech debt and platform and vendor lock-in. Cyber is the foundation, but many of the risks I worry about daily are leadership and technology decisions that will compound over time if I don't address them quickly.
Operational fragility is another one -- if you're not stable and reliable in your ecosystem, you're going to have challenges. If you've concentrated talent or have a lack of concentrated talent, that can also be a risk. Change and adoption is always a big risk as well.
We treat risk more like a broader portfolio. If we've got poorly sequenced transformation, it might not break today, but if you don't mitigate it early, you could have a big problem down the road. We prioritize non-cyber risks based on their likelihood and the potential size of their blast radius. Then, we consider the reversibility. If we get locked into something, what does that mean?
What AI risks do you worry about?
Bronson: The biggest risks are around the model -- things like bias, drift and hallucinations. Then there's shadow AI and intellectual property or data leakage. Another, which is really uncharted right now, is the regulatory exposure relative to AI. This includes how much we rely on it versus what the privacy laws are in the U.S., and how all that comes into play. Additionally, if we've got automation errors happening behind the scenes in a black box, what happens when you're at scale and you see those?
Back when the internet was just forming, you had HTTP before the 'S' was added. That's where MCP is today.
My personal favorite AI risk is the MCP protocol -- the communication protocol between AI agents. Back when the internet was just forming, you had HTTP before the 'S' was added. That's where MCP is today, and that's a big risk. You need to treat it like the early days of the internet, when all the security was on you. There is no standard industry protocol.
The last one is third-party controls on AI. You've got LLMs embedded into tool sets, and you've got AI agents popping up all over SaaS tools. I'll go back to the communication protocols -- how all that mishmashes together is a pretty interesting future.
You mentioned operational fragility as a risk. Can you explain that in more detail?
Bronson: Ecosystems evolve over time, and CIOs inherit things that others have done. Systems are put in place, and investments shift or remain the same depending on what's happening over the years. So, the fewer architectural standards you have, the more SaaS sprawl there is, and with limited AI governance, disparate technologies can pop up, preventing a coherent, thoughtfully planned ecosystem. This creates fragility. When these elements interact, if you don't have mechanisms for observability or strong architecture standards and governance, your operations can be at risk.
How do skills gaps or talent retention issues create risks for IT strategy?
Bronson: Every company evolves, and now, with the speed of AI and technological change, things are moving faster than ever before. So, the risk around talent shows up operationally -- slower delivery, more rework and higher fragility of the things they put into production. If only a few people understand the model, every change can become risky.
This goes back to operational fragility, and we address it in a few ways. One way is T-shaped teams. We have breadth and depth of teams to handle what's on the left and right of them, and to go deep in their specific areas. Technically, that is super important for us.
We also run programs for internal skill development, starting early in the pipeline -- from STEM programs in high school to initiatives that encourage people from diverse backgrounds to explore technology careers. Every CIO and IT leader should help the next generation understand how cool this can be and how important it will be in the future. If we start losing that, we won't have any humans left to run the AI.
How do you manage the risk of becoming overly dependent on a single vendor, platform or cloud provider?
Bronson: In some cases, you really can't -- it's a slippery slope. ERP systems are a good example. It starts with architecture: how do you design your environment so you can fully use what a third-party tool offers while still preserving what makes your organization unique from a change management, talent and culture perspective?
Build microservices and service layers around the periphery -- in the workflows and culture -- so you don't lose sight of what differentiates you.
Vendor lock-in is a real risk, and it's not going away. The key is managing it through architecture. If you have the right standards in place, you can define your core ecosystems -- HR core, supply chain core, ERP core -- and partner with the third party so they have design authority within that core, ensuring the system is used as intended.
At the same time, you build microservices and service layers around the periphery -- in the workflows and culture -- so you don't lose sight of what differentiates you, whether on the supplier or customer side. That's the balance.
The big trick is architecting in a way that fully uses the platform while avoiding irreversible decisions. You can't just switch from one cloud provider to another overnight -- "plug and play" isn't realistic. But if you've architected it the right way, it's at least a viable option.
How do you think about supply chain risk?
Bronson: Supply chain is huge. It's moving so fast, and there's so much reliance. We focus on our suppliers, and in the three-tier system we operate in, it's important to partner with both tiers. We have our retailers and suppliers, and we're the thread that brings them together.
For us, everything happens in the supply chain. There's a ton of automation, AI and new robotics there, so the risk that something could go wrong is significant. Therefore, when we build things, we must build them with redundancy. We're building things with the opportunity to bypass certain areas.
For example, if we're using automated storage and retrieval systems in a distribution center, we ensure there are ways to work around them or that enough redundancy is built in so it can't go down. That requires a balanced investment approach based on the actual level of risk and acceptable impact.
From a talent and integration perspective, it's about how all these systems come together and how humans interact with them. Whether it's wearables, robotics moving through facilities or other advanced tools, you cannot lose sight of how that future technology integrates into the work itself and of how humans remain in the loop.
Have you noticed a general fear of AI across your workforce?
Bronson: We're not afraid of AI. We're afraid of ungoverned AI. We also must think about silent failures or things you might not see coming. That's why building redundancy and keeping humans in the loop is critical.
Everybody wants to do the latest and greatest, but we're careful. We make sure our teams are prepared, trained and understand how AI can benefit them -- and we don't scale anything unless it delivers real value and humans clearly benefit from it.
How do you communicate technology risks to the executive team or board?
Bronson: I don't talk tech speech. I talk about risks and technology in a way they already understand, including revenue impact, cost impact, operational continuity, regulatory exposure and strategic flexibility.
We also don't talk a lot about systems. I talk about outcomes and focus on what we're driving. For example, what might happen in an order flow or to our growth if a platform fails? The conversation becomes clearer if you're really focused on outcomes and their effect on operations.
Tim Murphy is site editor for Informa TechTarget's IT Strategy group.
