IT risk management involves auditing the current state of your organization’s digital assets. In the process, you’ll need to consider how and where your information is stored, what internet/cloud services you use, and how your employees are trained to interact with technology, among other concerns. Managing risk in information technology means safeguarding customer data, setting up basic defences against cyber attack, and developing an incident response plan that mitigates potential damages.
The Essentials of IT Risk Management
When we talk about risk, we’re essentially discussing probability. The basic questions behind risk management are:
- What might happen?
- What’s the chance it would happen?
- How bad would it be?
- How could we respond?
In IT risk management frameworks, we label the answers to those questions “threat,” “vulnerability,” “asset value,” and “countermeasures.” In order to understand the severity and potential risk, you must answer those questions.
Risk management strives to reduce the number of possible things that might happen by setting up defences that eliminate some threats. Then for the threats, we can’t eliminate entirely, we look for ways to reduce the likelihood of them happening, making us less vulnerable. Next, we look for ways to limit the downside of a potential threat. Finally, we develop a response plan that would take care of the threat and return the organization to normal function as quickly as possible.
In the United States, the national standard for IT risk management is the National Institute for Standards and Technology’s risk management framework. The International Standards Organization also has a framework for risk management. Both of these resources provide valuable step-by-step guidelines for creating a IT risk management plan that works for your organization.
How to Have the IT Risk Management Discussion
One of the biggest hurdles to implementing an IT risk management plan is getting buy-in from senior leadership in the company. Many leaders are hesitant to make decisions about technology, and often senior leadership doesn’t understand the technology the organization uses well enough to know why a risk management plan is needed.
The Harvard Business Review suggests ways to broach the IT risk conversation with company leadership. The focus should not be on the technology. Instead, frame the conversation as a business decision that all parties can understand. Framed as a business decision, your IT risk management conversation should address:
- Availability – How will we access our data and technology in the event of an incident?
- Accuracy – Is our data complete and correct?
- Access – Who can see our data and how do we keep out attackers?
- Agility – When we want to move into new industries or markets, can our IT infrastructure adapt?
The key here is to involve management early and often in the process and get buy-in on the need for IT risk culture. Additionally, as you build your IT risk team, make sure knowledge is dispersed among the participants. Expert knowledge hoarding is a risk in itself as relying on one person to understand your network is a weakness.
Using these tips, you’ll be well on your way to creating a functional IT risk management framework that protects your organization. Many professionals don’t know where to begin planning for a potential attack. Luckily, just these few key elements can go a long way.