5 Ways to Address IT Risk for Competitive Advantage

Jon Murphy outlines five steps any organization can take to proactively address risk and achieve competitive advantage.

How is your environmental dynamism?

'Environmental dynamism' is the perceived rate of change brought on an organization by external forces. "The forecast for most companies is continued chaos with a chance of disaster," according to Geoffrey Colvin, noted Fortune Magazine columnist. Yet, if organizations do not adapt, change, and embrace the positive possibilities hiding in chaos, they begin to die. Conversely, organizations that allow unbridled growth and that do not proactively manage change invite a kind of chaos that could lead to an organizational form of cancer. That malignancy can consume all resources until almost nothing productive is left.

The headlines are full of former leading companies struggling for their very survival with this balancing act. In the realm of IT risk, some companies are faced with both extremes mentioned above simultaneously. The good news is the remedy is fairly straightforward, though not necessarily inexpensive. Here are five tips for remediation:

Tip # 1: Shore up the foundation first: Invest in infrastructure improvementBusiness Continuity/Disaster Recovery, employing intrusion checking systems, regularly scanning for vulnerabilities, and more.

Asa Hutchinson, former Under Secretary for Border and Transportation Security, Department of Homeland Security, whose duties also included cyber security, recently stated that if private or public organizations are not "doing the basics of risk management hygiene," then the organization is "a headline waiting to happen." These basics include meeting some information security standard with requirements to log sensitive systems access, addressing

The most obvious sign of a company failing to address the basics is a badly neglected IT infrastructure, which is the cornerstone and foundation for the rest of the effectiveness of IT overall. This vulnerability most often manifests itself in inadequate environment management systems/tools, old and unreliable hardware, and a status of neglect until something breaks. Remember, even the very best developed software and applications code is ineffective and inefficient if it rides atop poor infrastructure environments. Other necessary steps in this area include utilizing formal project management disciplines enterprise-wide, actively managing vendors, enforcing budget discipline, and reducing unwarranted complexity where possible.

Tip # 2: Embed IT risk awareness and management in every business process

Leading IT risk entities have conducted extensive research indicating organizations that proactively address IT risk reap significant rewards. These rewards include, on average, 17 percent higher revenue, 14 percent higher profit, and 22 percent better customer retention than competitors. The same studies also found nearly 88 percent of all security breaches would have likely been prevented by generally accepted "reasonable" infosec processes and systems. When embedding these elements, it is imperative that executives measure for effectiveness and lead by example.

Also see How to Write an Information Security Policy

Tip # 3: Empower IT management with proactive business leadership support

According to volumes of other research, most pervasive IT risk does not arise from poor technical performance. Nor does it arise from low- or mid-level technical personnel's mistakes. Rather, IT risk most often arises from the failure of the enterprise business leadership to assist with oversight of IT in some logical governance framework. External risks aside, the internal "homemade risks" of an ineffective IT department—e.g. overspending, failed projects, costly disparate environments, unhappy business users, low morale, poorly performing applications, downtime, and imprudent use of scarce corporate resources—are sufficient reasons to take a more proactive approach to managing and empowering IT.

A governance framework (a la COBIT, COSO, ITIL, CMM), more simply stated, is a way for the business leadership to ensure that IT is doing the right things right the first time! Otherwise, over time, risk-blind, inattentive, and disjointed actions and inactions on the part of the business with respect to IT accumulate. These add to unnecessary complexity and compound the conditions for disastrous, runaway, and potentially unrecoverable incidents. Decisions made at the local or business unit level often exponentially increase enterprise-wide risk and confuse the IT department on which risks matter most to the business. In other words, the undisciplined multitude of undocumented business processes, or lack of process altogether, produce a risk-ridden IT system quagmire.

Tip # 4: Consider risks not only in the more traditional terms of confidentiality, integrity, and availability but also in terms of access, accuracy, and agility

Once addressed through a continuous process, proactive IT risk management produces three main competitive advantages. First, there is less firefighting. This allows the enterprise to focus on more productive and strategic work. Second, the foundation is better structured thus freeing resources, personnel, and dollars to concentrate on more value producing efforts. Third, the enterprise is situated in a stronger position than others to assess risk and thus potentially take on opportunities that others would consider too risky or too costly to pursue. Perhaps the best benefit from appropriately addressing IT risk might be that business executives and IT staff alike can sleep at night!

Tip # 5: Raise awareness of and embrace upside risks enterprise-wide

Risk—both upside and downside—may arise from emerging technology, globalization, data growth, vendor/supply chain complexities, client expectations, economic ebbs and flows, and compliance requirements, just to name a few sources. In many organizations, the upside is dismissed. However, isn't being unable to accommodate a 200 percent increase in new business volume almost as bad as suffering a 50 percent loss in productivity? Wherever risks arise from, we can all agree there are a plethora of risks already present and more apparently forthcoming. Effective leadership requires choreographing change to address the upside and downside risks and the vulnerabilities inherent to both. This is especially true around IT risks since companies are ever more dependent upon the lift IT brings via automation of key business processes, linking to customers and suppliers, and ever-increasing, mandated compliance reporting.

Jack Welch, the legendary chairman and CEO of General Electric, is credited with stating that when the actual rate of change outside an organization exceeds the internal rate of change, the end is near. Information technology as a discipline completely reinvents itself every 18 months or less. With this break-neck rate of change, comes inherently more risk because the primary coping mechanism is to rely on yet more automation that must be understood, managed, and maintained adding to the legacy and complexity of what already exists and cannot yet be replaced or upgraded If IT risk is holistically addressed throughout the enterprise, with progressive and proactive measures as suggested above, leadership can make rational, informed trade-offs about IT risk in business terms that positively differentiate it from the competition.

Jon Murphy CISSP, CBCP, CDCP, PMP, NSA-IAM/IEM, ITILv3 is the Senior Director of IT for a national provider of trustee, administrative processing, and legal services to the financial and mortgage services industries. He has spoken on the topic of IT and homeland security at many industry and trade conferences, including AITP, ISSA, CPM, and DRJ.


Copyright © 2009 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)