We had a good turnout today for our session on IT risk management
with special guest Adobe systems, and I was interested to talk to a
couple of IT managers who admitted they’re still finding it difficult
to approach anyone in their organization beyond the CIO level to get
the support they need.
The other day I had given a few of the responses I’d gotten from a question posed on LinkedIn, where I asked about the most common (or worst) IT risk management mistakes people make.
The answers keep poring in, and without going overboard I feel
compelled to offer a few of the ones that made it into my presentation.
Thanks to everyone who helped share their thoughts on this topic.
When thinking about IT risk management and compliance, there’s a
tendency in some IT departments to focus just on technical topics such
as:
1. Access controls – user IDs, passwords and third factor security
2. Application authorization
3. Encryption to maintain confidentiality and prevent data theft
4. Backup and recovery
What’s missing from this narrow technical focus on IT risk management and compliance is consideration of larger topics such as:
1. Business continuity
2. Disaster recovery
3. Physical security
4. Industry-wide standards such as the PCI security standard or Health
Insurance Portability and Accountability Act (HIPAA) or e-Discovery
5. Content and document management
–Yogi Schulz
A few thoughts:
- exclusion of outside experience. Many companies lock themselves to a
particular mindset/approach (too much promoting from within), and fail
to learn from the mistakes of their peers, or to harness massive
experience that a _good_ consultant will bring in. Business Continuity
or Risk Management may appear deceivingly simple on the surface.
- failing to enforce normal project management principles. Compliance
projects sometimes are perceived as “special initiatives”, and details
like milestones, schedules, deliverables, and limited resources acquire
new meaning.
- Companies fail to realize benefits of compliance projects, assume
that it is sunken cost. Infrastructure that is being put in place to
satisfy regulatory requirements usually can be used for additional
purposes (IT Calendar/IDS/etc) at small(er) incremental cost.
– Marcin Antkiewicz
Three don’ts and a big “do”:
1) Don’t assign it to the marginal manager who hasn’t got anything
better to do. It will take far longer, cost far more, and bad processes
will disrupt your organization for years. Take the hit up front and put
the A-Team on it.
2) Don’t leave the details to process-oriented personalities. It has
never ceased to amaze me how a 5-minute task can be turned into days of
work for many people, with no additional risk reduction.
3) Involve Legal for review only occasionally. If they are involved in
the details, they will see false “risks” as long as you allow it. It’s
not wrong, it’s part of the mindset that makes them good lawyers, but
it can derail your effort.
4) get the whole team to repeat, over and over - risk management is
about intelligently managing risk -it is NOT about eliminating risk. As
long as risks are taken by the appropriate authority in full view of
the consequences, it’s fine.
– Loren Hicks
