IT risk management is defined as the policies, procedures, and technology an organization adopts in order to reduce the threats, vulnerabilities, and consequences that could arise if data is not protected.
In this article, we’ll show you how the classic equation for risk can help you prioritize your IT risk management strategy and recommend best practices for doing so.
Understanding the IT risk equation
As mentioned in our working definition, IT risk management examines this classic equation for risk:
Threat x Vulnerability x Consequence
Threat is inherent in IT risk management, and most organizations assume that their vendors present at least some level of threat.
Vulnerability comprises the gaps in a protection program. Let’s say you have a really sensitive document and you put it in a safe, in a locked building, protected by guards; you likely feel confident that the document isn’t vulnerable to many threats. Now, if that same document was online in an open network where your organization stores all of its data, it’s easy to understand how the safety of the document is compromised. The moral of this story is to understand not only what vulnerabilities are in your protection program, but also how those vulnerabilities can be exploited. Once you parse through this information, you’ll gain a clearer idea of how to address your overall risk.
Consequence represents the harm caused to an organization by a cyberattack. An important element to consider here is the value of the information you’re trying to protect — something which can vary tremendously. For example, intellectual property data or pricing information may be of value to your organization. But data, such as personally identifiable information (PII), can also hold value because of the legal requirements to protect it. When determining risk, it’s important to ask what might happen if that data is compromised.
Properly managing IT information risk
Knowing what IT risk management is and what it entails, as outlined by the risk equation, is the first step to managing that risk. From here you can take the next step of establishing a clear strategy for information security and risk management.
It’s important to note that this strategy is typically set by the leadership in an organization. Data is the lifeblood of so many companies — so the task of managing information risk isn’t and shouldn’t be taken lightly.
Once senior executives set an IT risk management (IRM) strategy, it’s contingent on the rest of the organization — from HR to legal, marketing to finance — to set policy into action. The policies (like an acceptable use policy, for example) are written and distributed throughout the organization, so all employees understand the severity of any risk management infractions.
The IRM strategy also serves as a guideline for IT security teams to implement the technical controls (firewalls, intrusion detection, multi-factor authentication, etc.) they need to help avoid or lessen the impact of a catastrophic data breach.
To mitigate third-, fourth-, and even nth-party risk, vendor Risk Management teams must work with vendors, suppliers, and other parties critical to business operations to make sure that they have reasonable information security policies in place. These combined efforts help ensure that a company doesn’t suffer from the harm they’re trying to stay away from.
Everyone is responsible
IT risk management is not something that lies with IT or security teams; it’s an imperative that the whole organization must own.
In other words, this is not something to swiftly pass over or delegate to a low-level intern. IT risk management requires senior leadership involvement. There are simply too many intentional and unintentional threats to an organization’s data, and if these issues are ignored, the consequences could be severe. Financial, legal, and reputational harm could befall those that do not take this advice into consideration — so make sure you’re prepared!
What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by the...
If you’re using a “one-size fits all” approach to managing your vendor lifecycle, you are missing opportunities to save money and operate more efficiently. Vendor management efficiencies don’t end in the onboarding stage: using a...
If you’re experiencing frustrating delays and procedural roadblocks during your vendor management process, you’re not alone. Security managers are seeing an increase in the number of third-parties integrating with their business, and ...