IT risk management allows organizations to prepare for some of the most costly risks they’ll face — every threat presented by devices, applications, and the internet. Successful risk management requires risk and IT teams to frequently work together and is most beneficial when organizations use software to organize their entire approach to risk.
What is IT risk management?
What are common IT risks?
How does IT risk management work?
Why is IT risk management important?
How to implement IT risk management
Ensure risk and IT teams work together
Prepare for insider risk
Prepare your strategy for organizational scaling
What is IT risk management?
Information technology risk management is a specific branch of risk mitigation, prioritization, and optimization that focuses on the probabilities and threats that come from enterprise hardware, software, and networks. Focus areas of risk management include:
Mitigation — enterprises work to lessen the negative impact of problems that have already occurred
Prioritization — enterprises decide which risks are most important for them to handle and which are less critical
Optimization — enterprises discover which risks are worth taking so they can reap the benefits if the risks pay off
Typically, enterprises create a risk management plan (often known as a GRC framework or a business continuity plan) that involves multiple company stakeholders. Enterprises often use a software platform to digitally track risks; the application alerts them when a new threat arises and shows their progress to becoming compliant with any regulatory standards.
What are common IT risks?
Examples of IT risks include employee mistakes, software vulnerabilities, and network and device failures.
Human error
Employee mistakes are responsible for around 85 percent of data breaches, according to The Psychology of Human Error study conducted by Stanford University and security firm Tessian. These errors include clicking links in emails that download malware onto a device, failing to use a variety of strong passwords, or accidentally giving away company information through a phone call or text.
Hardware failure
Eventually, servers grow old, laptops die, and storage disks fail. This becomes a risk when the data on that hardware isn’t backed up and when an organization isn’t prepared to replace the devices.
An unexpected server failure can be catastrophic if the server was running high-performance applications with no way to automatically move them to another server. Storage system failure puts sensitive customer information at risk of loss. It also means the organization could become noncompliant with data regulations.
Network or web server outages
If either the company Wi-Fi network or a data center network go down, the business loses precious operational time, but it could also lose sales deals. If a network outage causes a user-facing application to pause, then customers won’t be able to access it. The same goes for web servers: if they go down, the website goes down, too. This not only affects a business’s sales but also its reputation.
Network and data breaches
Security breaches aren’t the only IT risks an enterprise faces, but they’re one of the hardest to recover from. Some types of malware embed themselves so deeply into a company’s IT infrastructure that even reinstalling a system won’t automatically rid it of the malicious code.
How does IT risk management work?
Enterprises typically use IT risk management software to centralize and organize their approach to protecting these sectors of the business.
User access to both networks and accounts
Access risks include attackers breaching the company network, information compromise and theft, and malicious software attacks. IT risk management solutions alert administrators when an unauthorized user attempts to access a system or when network traffic resembles a common security threat.
Data management
Data risks include exposing customer data, being noncompliant with data protection regulations, and having an entire storage system breached. An IT risk management platform keeps records of each step to compliance, tracking an organization’s progress and sending alerts to stakeholders that have compliance tasks assigned to them. It also prioritizes threats, like a storage breach, that the business should address.
Third party software and integrations
Any software that’s linked to another program has at least limited abilities to control it. This is another vector for attackers to breach a network, especially if the third party application has unpatched vulnerabilities. With the right credentials or backdoor access, attackers could potentially also move from a third party application to the primary application and gain full control of it. IT risk management software offers tools like third-party vendor assessments to gauge how secure the vendor’s platform is.
Why is IT risk management important?
Between third-party management and compliance regulations, data protection and networks, IT risk management covers every danger presented by technology to an enterprise. As enterprises undergo digital transformation and shift to remote workforces and applications, they need a centralized plan to manage their IT resources safely.
IT risk management provides a framework for businesses to track every threat presented by devices, networks, and human users. The software that enterprises use record risks and rank their importance, detailing how critical a risk is to business operations and alerting the employees who are responsible for handling it. Without managing information technology and security risks, businesses will rapidly become swamped with compliance tasks, security threats, and endpoint device management. Then they’ll be unable to organize their responses to risk.
How to implement IT risk management
To develop a risk management strategy specific to information technology, consider approaching IT from a collaborative perspective, and be prepared for rapid growth if your enterprise’s IT risks scale.
Ensure risk and IT teams work together
An important part of risk management is decreasing silos. If your enterprise has a risk team and an IT department, they’ll need to collaborate to set up a successful IT risk management strategy. Working together means these two teams will be increasingly aware of technology threats and prioritize the ensuing risks. For example, if a storage system is breached, IT or infosec teams will discover patterns within the attack and share all relevant information with the risk team.
Both teams offer insights that the other needs, according to Joel Friedman, the CTO and co-founder at risk management provider Aclaimant. “Risk managers and IT teams can work in tandem to boost risk management awareness across their business and also ensure all stakeholders can use this technology to its greatest potential,” said Friedman.
“While most risk managers are inherently an expert in risk and not technology, they can lean on their IT counterparts to boost adoption of understanding of technology and data that will help them more effectively do their job. On the flip side, IT teams should also consider incorporating risk management into their processes, as any technology presents not only opportunities but also potential risks to the overall business.”
Risks and information technology are so closely entwined, it’s nearly impossible—and unwise—to keep them separate. Organizations that recognize the dangers inherent in IT and the consequences they have for enterprises will be better prepared to manage tech and security-related risks.
Prepare for insider risk
Many IT risks come from the employees within the organization. But enterprises don’t pay enough attention to the role their own workers play in creating risk, according to Jadee Hanson, the CIO and CISO at data protection company Code42. The three Ts — transparency, training, and technology — help enterprises manage those risks.
“A significant aspect of IT security risk management that is commonly (and mistakenly) neglected is insider risk,” said Hanson. “First, you want to have a transparent security-centric culture that prioritizes data protection at every level. Leaders should work with the cybersecurity team to produce well-thought-out protections on data use, handling and ownership, which can be delivered to their employees, contractors, vendors, and partners.”
Collaboration is critical to developing a risk management strategy; that includes informing employees of all the risks related to them. “Employees need to be properly trained on the business impact of their data exposure actions with security and awareness training from initial on-boarding through off-boarding. Gone are the days of hour-long training with no relevance to the work that employees are doing. To address these data exposure issues, we need point-in-time training that occurs right after data exposure events happen,” Hanson said.
Lastly, monitoring and detection tools reveal what regions of the IT infrastructure have been compromised. “Having a technology solution in place that gives security teams visibility to data moving off endpoints to untrusted cloud destinations, personal devices, and personal emails is key,” Hanson explained. “Today, most (71 percent) security teams lack visibility into what and/or how much sensitive data is leaving their organizations. Without technology providing the right visibility, it’s nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.”
Prepare your strategy for organizational scaling
A successful IT risk management strategy must be able to grow with the company; otherwise, it will need to be reworked regularly. A better approach than redesigning the strategy each year—especially if your organization is in a period of rapid tech growth or change—is to develop a scalable risk management plan, according to Vasant Balasubramanian, VP and & GM of the risk business unit at ServiceNow.
“The need to ‘plan for scale’ is due to the explosion of technology in every phase of the business: the pace of change, range of threats, growth of suppliers, and more,” Balasubramanian said. “To compound the problem, IT teams are not able to add people at the same rate as the need is growing. Therefore, first and foremost when implementing an IT risk management strategy, you should design the program with scalability in mind.
“This is a journey that cannot be accomplished overnight, but the planning for scalability must be in place up front to achieve the desired maturity over time. Only then can organizations stop the cycle of recreating IT risk programs every few years.”
Examples of planning for scale include:
Setting up an analysis plan for new technology so the IT risk management team can vet every new application or tech advancement for potential risks and rewards
Choosing risk management software your business will still be able to use in a few years, especially if the organization grows substantially
Building a collaborative IT and risk management team that is established regardless of who leaves or joins the company, and preparing to have new employees move into those roles
