CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Resilient IT / Strategies

Managing IT Risk

By Tom Schmidt

For today's CIOs, there can be little doubt that these are the proverbial "interesting times." Think about it: We are more dependent than ever on IT to run our businesses, yet IT failures are commonplace. At the same time, our IT environments are becoming more complex, thus increasing our exposure to all forms of IT risk. The fact is, if we don't get IT risk under control, we put the entire business at risk. That's why there has never been a better time for taking a comprehensive approach to IT risk management.

The way we work now
It's no exaggeration to say that IT-driven innovation has become the engine fueling global commerce. That innovation has opened new markets, established new business models, and driven incredible gains in productivity. But those successes haven't come without consequences. We've arrived at a critical juncture where we have become almost entirely dependent on IT. And with IT dependence, comes exposure to IT risks.

What kind of risks are we talking about? The IT Risk Management Report, published for the first time in February, examined IT risk based on interviews with more than 500 IT executives and professionals worldwide. Among the report's findings:

  • 62% of organizations expect a regulatory breach and major information loss in the next five years.
  • 66% of organizations perceive high/critical operational risk in finance and administration.
  • 61% of organizations are not highly effective at governance, compliance, and continuous improvement.
  • 24% of IT staff time is devoted to addressing business application performance delays.

Generally speaking, organizations today must address four main types of IT risk:

Security This is the risk that internal or external threats may result in unauthorized access to information. This includes such things as data leakage, data privacy, fraud and endpoint security. It includes broad external threats, such as viruses, as well as more targeted attacks upon specific applications, specific users and specific information -- attacks to steal money and to attack the systems that your people are relying on every day.

Availability This is the risk that information might be inaccessible due to unplanned system outages. You have a responsibility to customers, employees, and stakeholders to keep your business running. As a result, you need to reduce the risk of application or data loss or data corruption. And, in case of a disaster, you need to be able to recover in the times required by your business.

Performance This is the risk that information might be inaccessible due to scalability limitations or throughput bottlenecks. Your business needs to accommodate volume and performance requirements -- even during peak times. As a result, you need to proactively identify performance issues before end users or applications are impacted. And, to minimize costs, you need to optimize resources and avoid unnecessary hardware expenditures.

Compliance This is the risk of violating regulatory mandates or failing to meet internal policy requirements. Your business needs to comply with federal and state regulations, such as Sarbanes-Oxley, ISO 9000, or the British Standards Institute PAS56 framework. You need to retain information and provide a highly efficient search and discovery engine to find content in emails as required. In addition, you need to ensure that your employees are meeting your own internal best practices and policies to keep your business operating in the most efficient manner.

But it's also the case that these four types of IT risk are increasingly interrelated and important to just about everyone in the organization. For example, IT Directors and Managers are on the front lines when IT failures occur. They see how patches must be rolled out in a compliant manner to protect systems from security threats, or how data protection practices designed to improve availability might impact network performance and create security vulnerabilities if data isn't encrypted. It's all connected.

Plus, as IT failures become synonymous with business failures, IT risk is becoming a topic within the boardroom and the executive suite. In fact, companies such as FedEx, Proctor & Gamble and Home Depot have even established special board committees whose sole purpose is management of IT risk.

Five steps to managing IT risk
There is a five-step approach to managing IT risk. The cornerstone of the approach is this belief: When an organization successfully manages IT risk, it is better able to use IT to compete and innovate with confidence.

The first step is to develop an awareness and understanding of specific IT risks to your business -- security, availability, performance and compliance.
The second step is to quantify risks through an impact assessment and develop a business case for IT investment. Impact can take many forms, including customer losses, business losses, damage to brand equity, legal costs and regulatory fines.

Next, companies should understand the range of tools they can apply to managing IT risk and design a solution. Technology is clearly an important component of the solution, but just as important are tools that address the human elements of an IT system, including training and operational processes.

The fourth step is to align IT risks and costs with the business to find the right level of investment and implement the solution. Obviously, we can't afford to apply the highest levels of protection to every IT risk we identify.

The last step is to develop a systematic ongoing capacity to manage IT risk. It's not a project, but an ongoing activity that must be built into the culture of the organization.

Conclusion
Today's organizations are more dependent than ever on IT. As IT dependence increases, however, the potential for an IT failure to disrupt business operations becomes a serious management concern. Organizations must find a way to reduce exposure to IT risks, decrease costs, and build greater capacity for IT to drive business innovation.

Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Network and Infrastructure
Analytics and ROI
Strategies
Related Content

Features

View More


Metrics

View More

Fast Fact

A new survey found that 62% of organizations expect a regulatory breach and major information loss in the next five years.
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service