5 Things You Need to Know About Risk Management
- 10 October, 2012 22:00
Commercial espionage. Compliance. Crazy weather. Credit default swaps. Risk is everywhere and if you're just trying to minimise it within IT, you're missing the point.
Instead, learn to be a "risk intelligent" CIO who can help your organisation wisely take - and profit from - risks.
1. Get your own house in order first
You should certainly identify and plan for events that can affect your ability to provide a stable, available, protected, and recoverable technology infrastructure. But you have to look beyond risk that directly encroaches on IT's turf, such as network violations or data breaches, and see more broadly where in the organization technology can play a role in protecting - or exposing - assets. "So many IT departments I see are really only managing IT perimeter risk, or data breach losses, but nobody's doing anything about intellectual property," says Brian Barnier, a risk advisor with ISACA and principal analyst at ValueBridge Advisors in Norwalk, Connecticut. And over-communicate risk priorities to your technology staff, because they may be focused on a more granular set of threats than you are.
2. It's not (just) about compliance
Yes, compliance with Sarbanes-Oxley, HIPAA, and a host of other regulations is obviously a piece of the risk management puzzle. But don't let it drive your approach. "When we talk about risk intelligence, it's the CIO understanding that he or she is providing the core information technology infrastructure to support the business, and understanding all the things that put you at risk," says Deloitte & Touche LLP Principal Bill Kobel. Instead of focusing only on compliance, ask whether you have the right kind of people and technology to stay ahead in your market. But if you're stuck in the compliance mindset and running around filling out checkboxes on paperwork, you've lost sight of business objectives, Barnier says.
3. Enterprise risk management is a career opportunity
The CIO is very well positioned to drive an enterprise-wide, more sophisticated approach to managing risk. Especially in companies that are very dependent on IT-driven processes, the CIO usually has the best access to information. "The more the CIO understands about the business processes, and the business dependencies on IT, the more the CIO can be a real advocate in the C-suite of doing risk management right," says Barnier. A CIO who's implemented an IT-oriented risk framework "can easily flip it right back into a driver of enterprise wide risk management," he adds. That can help the CIO personally and help their organisation drive more profitable revenue by taking risks where they make sense.
4. There are cheat sheets
While no one can save you the hard work of understanding the risks connected to all your technology and business operations, there are multiple frameworks and standards that can put you on the road to good practices. Important ones include Risk-IT from technology governance nonprofit ISACA (the group is best known for COBIT, a more general enterprise IT management framework) and ISO 31000. But be mindful about how you apply those frameworks, Kobel warns. Frequently, specialists in a company understand different domains of a framework - such as security, privacy, business continuity, or compliance - and the framework winds up being used at what he calls a sterile, tactical level of controls and requirements rather than being connected to the way the business really operates.
5. The bad guys REALLY know how to get aligned with your business
If you aren't connecting risk management directly to business processes, you must realise that your opponents are. The bad guys are probing for vulnerabilities by looking at your fundamental operating behaviour, at your products and services, Kobel says, and figuring out how to attack you either through social engineering or through your infrastructure. The same goes for insiders: "They have an innate knowledge of a business process, or a set of activities, and they begin to navigate through the seams, to circumvent internal controls to achieve their objective," he adds. "What they're doing is targeting the business side."
Brace for change: An interview with Tony Hayes of ISACA
Rethinking the worst case
The brand called CIO
Motorola turns to the Moto G's price to reserve its smartphone fortunes
Virtual desktop computing service: The next cloud disruptor?
Casestudy: Managing an Antivirus Service and Improve the Customer Experience
Anittel Group has provided managed technology and connectivity services to organisations for more than 15 years, expanding to become one of the world’s largest full-service, IT and telecommunications companies. Previously, Anittel deployed an in-built antivirus solution as part of its managed service offering, which addressed a number of its customers’ needs, except for individual malware infections, which occurred as often as a several times a week. In this case study, find out what they did to solve this problem.
Meeting Business Data Protection
When it comes to data back-up and recovery, the rules have changed. Virtualization has enabled IT organisations to become more efficient, but also more complex. This whitepaper addresses these new realities, and provides a comprehensive solution for virtual and physical environments, backup of applications and data, disaster recovery and replication of complete systems or applications, and for ensuring high availability of mission-critical services.
How to Compare Application Delivery Controllers
Application delivery controllers (ADCs) are one of the most critical elements of cloud infrastructures and enterprise data centre architectures. ADCs strongly impact performance, scale and security of the entire application environment, so it is extremely important for IT leaders to choose the right one. In this whitepaper, we look at 9 competing ways to compare ADCs and what products step up.