Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
Editor's Blog and Industry Comments

Managing Risk In Fast Changing IT Environments

31 May, 2010
ProSecurityZone has attended a working group at the House of Lords to discuss the Semantics of Risk in New Spaces
The Evolution of Risk

The Palace of Westminster has been the Government's debating chamber for almost a thousand years since the Saxon kings consulted their councils in the 11th century.

During that time, the risks of the day have always been in the spotlight with debates taking place on how best to manage them, contain them and mitigate them. A thousand years of risk evolution has seen the nature of the threats change over time but never more rapidly than those we face today. Technology has moved the boundaries of risk with the frontiers of protection becoming more hazy to the point that they are on the brink of disappearing altogether with such technologies as cloud computing.

It seems appropriate therefore that the great debating chambers of the Palace of Westminster should be the venue for a working session on "The Semantics of Risk in New Spaces" to which Jonathan Newell and Andy Pye from ProSecurityZone were invited to contribute.

Joining other industry experts, technology leaders and risk management specialists in a room overlooking the River Thames, we set about the tasks of defining the challenges presented by the current risk landscape and how to deal with the rapid pace of change.

Organised by Risk Intelligence experts, FlexEye, the invited delegates included Risk Managers and Consultants from banks, telecoms companies, industrial corporations and the public sector.

Risk and Technology Change

The discussion was largely focussed on technology change with Cloud Computing and the rise of Social Networking being used as the main examples. Recognised as being able to provide significant benefits, such tools must be embraced with appropriate safeguards put in place to mitigate the risks. These risks boil down to information theft, organised cyber-crime, malware, loss of service and loss of control. There is also the question of the dependence on IT of physical systems and utilities. As IT risks increase, physical infrastructure also becomes more vulnerable.

Mitigating such risks is as much about organisational and procedural change as technology. There is absolutely no room for conservatism when it comes to changing our approaches to risk management. In his opening address, Lord Erroll took a sledgehammer to one of the tablets of stone on which corporate IT rules are carved when he said "Mainstream anonymising will become normal for protecting identity". You may not agree with him but making such profound changes to the way we view our procedures heralds the new approach to risk management. As one delegate said, "Risk management should not be simply about compliance, it's more than that. We should stop ticking boxes and start being innovative in how we protect against risk".

Operate Decide Implement

Part of this innovation lies in the balance between redundancy and resilience. Redundancy is expensive and resilience can take many forms from "bolt-on" protection products to built-in resilience which forms part of the processes that are being operated. Building this resilience in is the area that demands the most innovative approaches. The most demanding aspect of this is in defining the implementation to allow protected processes to operate effectively without becoming cumbersome. For IT processes, risk management should run at "clock speed" to enable changes to happen in real time. An "ODI" (Operate â€" Decide â€" Implement) culture is the only effective way to keep up with the speed of change in IT related risk.

Human Factors in Risk Management

Social networking is creating a generation gap within business and it is younger employees who are using the technology most effectively as a business tool as they're on familiar ground. Engineers solve technical problems faster and more accurately using bulletin boards, LinkedIn and Skype than they would with a whole library of data-sheets, manuals and textbooks. Social networking is pushing this trend inexorably towards fast-responding, paperless working environments. The risks are currently high. Blocking it removes the risk but stifles progress, innovation and ultimately business viability. Understanding the risks and having processes in place to mitigate them and respond to changing vulnerabilities enables the whole workforce to flourish, regardless of age.

The other side of the employee risk coin lies in the much publicised "internal threat" where employees of the company are seen as a greater threat than external influences. As Lord Erroll put it, "Employee risk is becoming greater as loyalty seems to be on the decline".

Loyalty was never anything that companies should bank on for preventing their secrets from reaching competitors but it was always easier to secure those secrets when the boundaries were well defined and distributions could be easily controlled. It might be true that loyalties are declining but I think it's more significant that there are more opportunities to walk out with the crown jewels than there has ever been in the past. Mitigating this risk is like any other: understand the risk, put processes in place to control the risk and use technology to provide the mitigation.

Bookmark and Share