Understand information technology (IT) risk management and strategies to reduce your company’s exposure to cyberattacks, outages and other incidents.
- IT risk management helps protect your business’s critical interests.
- A formal risk management framework identifies threats and measures the level of protection necessary to defend your company’s data and other information assets.
- Cybersecurity risks — especially email-borne threats — top today’s IT risk management agenda.
A company’s data is its lifeblood. And according to a 2020 survey by IDC, enterprise data collection is growing more than 42% each year. From the intellectual property that drives unique value to the personal information of customers, organizations must have a plan — information technology (IT) risk management — to lessen the chance of a data breach or outage.
What Is Information Risk?
Information risk is the potential damage an organization could sustain if an event or unauthorized actor compromised, breached or otherwise disrupted its network infrastructure or data assets.
IT risk comes in many forms, including cybersecurity issues (phishing, ransomware), physical threats (fire or floods), technical failures (bugs, crashes), infrastructure breakdowns (loss of internet connection), strategic risks (poor technology choices) and human error (accidental data deletions). Cybersecurity risk has become not only the biggest IT risk, but one of the top three overall business risks, cited in a recent survey as neck-in-neck with the pandemic outbreak and business interruption.
Organizations measure the level of information risk by the impact that such an incident could have on operations, financial performance and reputation. An organization’s tolerance for risk depends on the value of the data. For example, if the data includes patient medical records or classified files, the risk of compromise is much greater than less consequential content, such as marketing communications documents.
Assessing IT Risk
Groups such as ISACA, an industry association, recommend that organizations start by creating an information risk assessment, which identifies and formalizes the types, amounts and priorities of risk they can tolerate.
IT risk assessments provide the foundation for effective risk management programs. Organizations should conduct them by:
- Appointing a qualified manager who is familiar with risk management frameworks and methodologies to oversee the process. This manager must understand the IT function, be able to lead a team of senior stakeholders and have effective communications and conflict-resolution skills.
- Building a team of stakeholders consisting of business leaders (legal, finance, HR, marketing, etc.) and IT (key infrastructure decision-makers, security, software development).
- Considering blueprints such as ISACA’s COBIT 5 for Risk, described as a process used to identify and qualify or quantify risk and its potential effects. The IT security risk assessment process includes scoping, analysis and control evaluation.
What Is an IT Risk Management Framework?
IT risk management goes beyond assessing the risk an organization faces if specific information is stolen or otherwise temporarily or permanently unavailable. IT risk management determines the importance of the data, the level of resources and the investment that should be applied to protecting IT infrastructure and its information assets. Many organizations create an IT risk management framework for this job.
There are many approaches to developing and maintaining an IT risk management framework. The Info-Tech Research Group boils the process down to three steps:
- Review IT risk fundamentals to establish a risk governance framework.
- Identify IT risks, assess and then prioritize.
- Develop a program for monitoring IT risks, developing responses and communicating IT risk priorities.
The National Institute of Standards and Technology Risk Management Framework (NIST RMF) drills down on cybersecurity and data privacy specifics. The NIST RMF is a seven-step process for implementing IT security risk management programs that meet Federal Information Security Modernization Act (FISMA) guidelines. FISMA governs federal agencies and their contractors, but the NIST framework is widely viewed as a best practice outside of the federal procurement world, as well. It lays out these steps:
- Prepare: Conduct an assessment and frame the activities needed for managing security and privacy risks.
- Categorize: Catalog the information processed, stored and transmitted based on the impact analysis.
- Select: Select the appropriate NIST-recommended controls to protect the system.
- Implement: Set up controls and document how they are deployed.
- Assess: Determine if the controls are operating as intended and producing the desired results.
- Authorize: Executives in charge make the final decision to begin operation of the system.
- Monitor: Continuously observe implementation and system risks.
Why Is Risk Management Necessary?
Risk management isn’t just a “nice-to-have” for IT and security operations, it is an essential component of business governance and compliance. Given the seemingly daily reports of ransomware attacks and major data breaches, IT security risk management has become a high-priority, board-level consideration. The process has strategic, financial, operational, regulatory and reputational implications, according to Deloitte, a management consultancy.
As important as it is for IT and security leadership to have a formal IT risk management process, CEOs and boards must also understand their cyber risks, to drive all stakeholders’ awareness of the potential threat to their business and to put adequate protections in place. IT and business leaders need to be aligned when it comes to information security and risk management.
Focusing on Cybersecurity Risks
With cybersecurity as a primary risk, information security risk management requires the following:
- Providing a way to measure the level of cybersecurity risk an organization may accept against the benefits of different technologies.
- Undergoing a cybersecurity audit to identify all risks and measuring the level of unknown threats.
- Developing a comprehensive plan to reduce vulnerabilities and threats.
- Deploying solutions that will mitigate breaches or attacks.
- Enacting comprehensive security awareness training programs for all employees and stakeholders.
Assessing the Largest Cybersecurity Risk: Email
The largest IT security risk that needs to be managed is email, in the form of omnipresent phishing and ransomware campaigns. Organizations undergoing information security risk assessments will typically find a high threat of exposure to email attacks at the perimeter of their network, inside their network and beyond the perimeter, where their brand may need protection from spoofed websites and other threats.
In Mimecast’s survey of 1,025 IT decision makers, 82% experienced downtime from an attack last year, while 51% were hit by ransomware. Those who fell victim to a ransomware attack faced three days of downtime. According to the survey, 60% said an email borne attack this year was inevitable.
The Bottom Line
IT risk management is a critical function for any organization. Having an information security risk management process is not just an IT issue, it is a matter that CEOs, top business executives and corporate boards are, or should be, paying close attention to. Cyber threats are not going away, and the impact of an event or bad actor can damage an organization’s operations, finances and reputation.
Want more great articles like this?Subscribe to our blog.
Get all the latest news, tips and articles delivered right to your inbox
You will receive an email shortly