We had a good turnout today for our session on IT risk managementwith special guest Adobe systems, and I was interested to talk to acouple of IT managers who admitted they’re still finding it difficultto approach anyone in their organization beyond the CIO level to getthe support they need.
The other day I had given a few of the responses I’d gotten from a question posed on LinkedIn, where I asked about the most common (or worst) IT risk management mistakes people make.The answers keep poring in, and without going overboard I feelcompelled to offer a few of the ones that made it into my presentation.Thanks to everyone who helped share their thoughts on this topic.
When thinking about IT risk management and compliance, there’s atendency in some IT departments to focus just on technical topics suchas:
1. Access controls – user IDs, passwords and third factor security
2. Application authorization
3. Encryption to maintain confidentiality and prevent data theft
4. Backup and recovery
What’s missing from this narrow technical focus on IT risk management and compliance is consideration of larger topics such as:
1. Business continuity
2. Disaster recovery
3. Physical security
4. Industry-wide standards such as the PCI security standard or HealthInsurance Portability and Accountability Act (HIPAA) or e-Discovery
5. Content and document management
A few thoughts:
– exclusion of outside experience. Many companies lock themselves to aparticular mindset/approach (too much promoting from within), and failto learn from the mistakes of their peers, or to harness massiveexperience that a _good_ consultant will bring in. Business Continuityor Risk Management may appear deceivingly simple on the surface.
– failing to enforce normal project management principles. Complianceprojects sometimes are perceived as “special initiatives”, and detailslike milestones, schedules, deliverables, and limited resources acquirenew meaning.
– Companies fail to realize benefits of compliance projects, assumethat it is sunken cost. Infrastructure that is being put in place tosatisfy regulatory requirements usually can be used for additionalpurposes (IT Calendar/IDS/etc) at small(er) incremental cost.
– Marcin Antkiewicz
Three don’ts and a big “do”:
1) Don’t assign it to the marginal manager who hasn’t got anythingbetter to do. It will take far longer, cost far more, and bad processeswill disrupt your organization for years. Take the hit up front and putthe A-Team on it.
2) Don’t leave the details to process-oriented personalities. It hasnever ceased to amaze me how a 5-minute task can be turned into days ofwork for many people, with no additional risk reduction.
3) Involve Legal for review only occasionally. If they are involved inthe details, they will see false “risks” as long as you allow it. It’snot wrong, it’s part of the mindset that makes them good lawyers, butit can derail your effort.
4) get the whole team to repeat, over and over – risk management isabout intelligently managing risk -it is NOT about eliminating risk. Aslong as risks are taken by the appropriate authority in full view ofthe consequences, it’s fine.
– Loren Hicks