Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Three Key Lessons of IT Risk Management

ISACA : 13 August, 2012  (Technical Article)
Brian Barnier of ISACA details three key lessons for the prevention of IT security incidents in the enterprise
Three Key Lessons of IT Risk Management
You might wonder when lightning will strike your IT shop, but it’s easier to prevent than you might think. When lightning struck Knight Capital, it hopefully was a one-time event. Yet, why has this bolt struck so many times elsewhere? To prevent, leaders need to take three key lessons to heart.

On 1 August 2012, an installation problem in Knight’s software blasted out a gusher of erroneous stock trade orders. After trading out of all those errors, Knight suffered a pre-tax loss of about US $440 million. That’s an Olympic-sized loss that happened almost as fast as a star athlete’s stumble in London.

US Securities Exchange Commission Chairman Mary Shapiro remarked, “Reliance on computers is a fact of life not only in markets everywhere, but in virtually every facet of business. That doesn’t mean we should not endeavour to reduce the likelihood of technology errors and limit their impact when they occur.”

Endeavour how? Should we do more of the same? Recall high-profile software release errors – stock exchanges in Germany and Japan (twice), bank in Canada (twice) and a leading wireless network. These headline-grabbing failures are just a fraction of broader IT-related business risks that include: investment/portfolio, program/project and operational (operationally stable, available, protected and recoverable). What must change?

Olympic athletes change when a technique isn’t working, and so must we. Companies can change their game to better:

* Prevent incidents
* Enable faster business value creation
* Avoid the wasted time and money that too often accompany risk management

Three Lessons:

First, focus on the objective. Manage IT-related risk to business performance objectives. In team sports, it’s not just about defense; it’s about more safely moving on offense. This scores in sports and creates growth in the economy. Further, with focus on performance, risk management can more deeply engage the organization, embedding in every decision and process needed to reach the objectives.

Second, learn from history. Companies caught in the frenzy of “now” ignore the methods and painful lessons of the past. For example, nearly 100 years of refined method in reducing both process and hazard risk is largely unknown in most risk management organizations. Instead, the wheel is reinvented, often drawing on post-Sarbanes-Oxley financial reporting and compliance-based approaches that structurally don’t fit in changing and complex environments such as IT. That’s like each year’s Olympic swimmers starting with the dog-paddle stroke.

Third, properly frame the problem. IT is a complex and changing system. Dependencies must be understood. Typical collections of controls and compliance bandages leave companies forever shocked and rocked by the latest incident. The expectation should be that problems (malicious, natural, accidental and volume-related) will arise and plan B must be ready (if only London Mayor Boris Johnson had one of those for his zip wire act). In short, a systematic fix for a system is needed to avoid painful surprises.

In summary, leaders must act to shift from:

* Compliance/control-driven to performance/systems-driven risk mgmt
* Reinventing the wheel to learning from history (situations and methods)
* Conducting tick-box exercises to rigorously asking "what if?"
* Compliance overlay activities to embedding risk-awareness in daily decision-making and processes

To speed this shift, ISACA’s COBIT 5 and Risk IT guidance can provide a more systematic roadmap to avoiding gaps and focusing on risk to business objectives.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo