Managing IT Risk
In the past, IT risk management was not necessarily considered a priority in most organizations . Disaster contingency recovery plans were basically non-existent and IT managers were not very accustomed with protocols for handling various crises. Potential crises were also limited to rather unsophisticated forms of spam or other denial of service attacks (McKeen, J. D., & Smith, H. A., 2012). Attackers are becoming more adept at infiltrating systems and attacks are becoming more malicious in nature as the methods for hacking and harming systems become more sophisticated.
Whether it be retrieving personal information from databases, installing malicious software on company servers, or using zombies to perform denial of servie attacks, the myriad of methods to cripple a firm's IT infrastructure continues to progress. The sophistication is making it more difficult to trace the attackers, as well making detection and remedy for these attacks more difficult to decipher and rectify a solution. Falling victim to security breaches or outages of various enterprise applications have become increasingly devastating for organizations as they become more reliant on IT to conduct business operations and the legal ramifications for improper disclosure of such events, or loss of personal information have become more significant due to legal regulations of information privacy.
It would be negligent to not mention the internet "hacktivist" group Anonymous in a discussion of IT risk. Anonymous has been successful in performing denial of service attacks on corporate giants such as MasterCard and Visa, and has caused outages on several Government and religious websites over the past few years. Although this group is more concerned with the message that they are trying to portray and less concerned with the syphoning of personal data, you must agree that they are also exposing the vulnerabilities of the Internet. They are basically telling us, "We can take what information we want, when we want, and do what we want with it". The group is comprised of some of the most efficient and effective "White and Black Hat" hackers available today. With the apparent vulnerabilities of Internet applications, it is imperative that IT risk not be taken lightly, and appropriate measures to prevent, detect, and rectify systems in the event of an IT crisis.
The loss of personal information, and the disclosure of such events have gained much ground in the courts. More and more companies and individuals are being prosecuted for indecent and/or negligible use of personal information. Penalties range from fines, to imprisonment of those involved in these events; this topic is an essay in itself, the importance here is to recognize that the presence of governing laws for the Internet are making it increasingly important for organizations to have a defined risk management framework in place to protect them from litigation as well as to protect their customers from indecent use of their personal information (McKeen, J. D., & Smith, H. A., 2012).
Managing IT risk has become an integral and vital component to organizations and has spawned a new concept the textbook outlines as "enterprise risk management". Simply put, enterprise risk management is a methodology of risk management that incomporates IT risk management into the organization's general risk management policies and procedures. Although enterprise risk management sounds great in theory, managing risk management requirement across several business units can be a complicated endeavour that should be seen as a constant work in progress as the nature of risk in a business are changing constantly, especially in more technologically-reliant companies.
Developing a risk management framework that accomodates the various business units in an organization in a complimenting manner, although difficult, should be the goal in mind during the design and implementation of such frameworks (Da Veiga, A., & Eloff, J. H. P., 2007). Constant revision and input across various business units can help to ensure that the needs of the various areas of the organization and represented in the risk management framework for the organization. Often, the success in implementing a risk management frameworks like that described in this paragraph is hindered by a lack of support of IT from senior management, or the inability of the IT department to present their cases to other departments in a way that shows its importance to the organization (McKeen, J. D., & Smith, H. A., 2012).
As we know, most IT representatives are not what you would call "social butterflies". The are often very analytical in nature, with strong technical knowledge in their field, often a detriment when trying to convey important points to senior management during meetings and audits (McKeen, J. D., & Smith, H. A., 2012). "Tech talk", a term I will refer to as overly technical IT jargon, almost frightens those who are not familiar with technology, while it bores others to sleep. We are currently in a transitional period in business where there are lots of senior executives that have only recently been introduced to the importance of IT, if at all, and their recognition of its value to the business will also vary widely. Regardless of how important other business units see the IT department to the organization as a whole, it is important for IT representatives to present their risk management proposals in an organized, short, and non-technical fashion, ordered by relative urgency to the company (McKeen, J. D., & Smith, H. A., 2012).
As the textbook explains, people are accustomed to stoplights and what their colours represent, red means stop and so forth, thus making their use in conveying relative importance to the company very effective (McKeen, J. D., & Smith, H. A., 2012). Also, the avoidance of technical terms in the description of the risk will help to avoid frightening the "non-techies" and help them understand in terms of how it affects the organization (McKeen, J. D., & Smith, H. A., 2012). Finally, keeping it organized, short, sweet, and to the point will help keep the audience from falling asleep during your presentations. The effective use of visual aids and background on the reasons for importance of the risks could also be pertinent depending on the discussion topics and the knowledge of those present (McKeen, J. D., & Smith, H. A., 2012).
Austin, R. D., Nolan, R. L., & O'Donnell, S. (2009). The adventures of an IT leader. Boston, MA: Harvard Business Press.
McKeen, J. D., & Smith, H. A. (2012). IT strategy: Issues and practices. Boston: Prentice Hall.
Da Veiga, A., & Eloff, J. H. P. (2007). An information security governance framework.Information Systems Management, 24(4), 361–372.
The Landing is a social site for Athabasca University staff, students and invited guests. It is a space where they can share, communicate and connect with anyone or everyone.
Unless you are logged in, you will only be able to see the fraction of posts on the site that have been made public. Right now you are not logged in.
If you have an Athabasca University login ID, use your standard username and password to access this site.
We welcome comments on public posts from members of the public. Please note, however, that all comments made on public posts must be moderated by their owners before they become visible on the site. The owner of the post (and no one else) has to do that.
If you want the full range of features and you have a login ID, log in using the links at the top of the page or at https://landing.athabascau.ca/login (logins are secure and encrypted)
Posts made here are the responsibility of their owners and may not reflect the views of Athabasca University.