Risk Management vs. Compliance

With the increasing pace by which scams, ransomware, attacks and breaches are occurring in IT, the nature of these risks are outpacing the compliance standards that they are based upon. IT Managers and staff have to contend with how to manage their IT assets – apps, data, devices, networks, staff, access so that these assets keep the operations of the organisation working no matter what risk or threat appears on the landscape.

The Board, senior executives, management team view IT as an operational requirement. They define the business objectives and require IT to support those objectives.

In my dealings with boards of directors, management teams and being a member of such functions, I quite well know that whey the word ‘ cybersecurity’ is mentioned, many do not understand its nature, impact or risk rating upon an organisation.  Put more plainly: when someone on the board or in business operations utters “cybersecurity,” he or she doesn’t interpret the word to me “to be in compliance with applicable privacy and security regulations.” The person interprets it to mean “our IT stuff works and other people can’t somehow use it to muck up our operations.”.

Sometimes this is a translational error between the technical language spoken in IT and that to the business language and or conversational language that we all understand.

The primary risk on most organisations is that technology fails in a manner that the doors have to close, staff are left idle, phones or emails not answered and bottom line, invoices are not created. That’s what worries the board. That’s what the board wants to hear about when the IT Manager or head of IT function briefs them on cybersecurity.

Information Technology is an Operational Risk

“Information Technology is an Operational Risk, it is a core enabler of the business function of any institution”  Central Bank of Ireland

So let’s rephrase our main point today as a series of questions:

  • What are the organisation’s mission-critical business processes?
  • How does technology support those processes?
  • What are the biggest risks to employees’ use of that technology?
  • How do your cybersecurity procedures and controls work to thwart those biggest risks, so the mission-critical processes can continue without disruption?

That’s how cybersecurity and IT governance are, in the modern business world, essentially the same thing

Who’s in Charge of This?

If IT governance is so important for cybersecurity and business objectives, to whom should the head of IT governance report?

Does that function exist in your organisation, is it left to you or just let slide in ignorance to the bigger requirement of keeping the operations running.

IT governance and information security are the same thing, they should be managed by the same person.

This is what we do, oversee the IT Governance, IT Security and ensure that there is a single point of oversight in to both functions and reporting to the board or senior management team.

Look at the situation as follows. Twenty years ago, a corporation’s most important IT assets were a bunch of rack servers stored in an IT closet at the end of the hall. You could run Ethernet cables to fixed employee workstations, and “security” meant maintaining a firewall to keep other parties away from those servers.

Today, most companies use cloud-based vendors to store and process your data. Employees and third parties access that data over whatever wi-fi network they can find, using software apps also provided over the cloud, with computing devices they might own themselves, while working at home or lord knows where.

In our current cloud environment, what is the true IT asset of an organisation, can you define it, if so then you can put controls to manage its risk. If you can not, then you are in trouble.

  • Is it the computer in front of you?
  • Is it the server in the IT area
  • Is it the laptop, phone or mobile device that you or others use?
  • Is it the cloud platform you use?
  • Is it the data that resides on your computer and backed up to the cloud?
  • Is it your email account?

So what’s the true IT asset in that picture? It’s not the rack server, since your company no longer owns one. It’s not even the employee’s tablet or phone, because who cares if those things get stolen? The company can reimburse the worker for, like,€400, hardware is replaceable. .

IT Governance

What matters is your ability to govern access to the data. That’s the IT asset: your ability to keep others from using that stolen iPad, or stolen access credentials. The asset is your collection of policies and procedures to evaluate relationships, study data usage patterns, raise alarms about suspicious behaviour, provision or de-provision user access, and so forth, and your database of customer interactions and records.

That’s IT governance in the modern world. It also sounds a lot to me like IT security, because all I’ve talked about for the last five paragraphs is securing the data.

So when we talk about cybersecurity, we’re really talking about the need to manage IT risks in the modern world. And when we talk about those risks, it’s clear that strong IT governance is what gets them resolved to the board’s satisfaction.

Something to think about as you prepare that next report to the board.

Leave a Reply

Your email address will not be published.