Enterprise Software

IT risk management: How to get what you want


What does it take to get attention for IT initiatives in today's enterprise? In most cases, it means making a compelling business case - and getting the right information to the right people in the right language.

IT risk management initiatives are definitely worthy of executive attention. Our economy is increasingly dependent on the Internet and IT systems, making the risks in these systems far more visible and significant than ever. But, it's a discipline with a myriad of stakeholders: CIOs, CISOs, enterprise risk management teams, compliance and regulation staff, and internal and external auditors.

Step #1: Choose your words wisely

There are two types of CIOs - infrastructure managers and strategic thinkers. Strategic thinkers will succeed with their IT risk management agenda because they speak in terms of business advantages, not outages. For example, rather than talking about a "zero day threat," consider simulating the impact of a potential incident in terms of potential business loss. Instead of talking about RTOs and RPOs, speak in terms of lost revenue and customers during an outage. Instead of highlighting unimplemented ISO controls, speak about the lost effectiveness of employees who need to share information both inside and outside the firewall.

Step #2: Use a High-Medium-Low spectrum of potential business loss

Part of using the right language is moving away from absolutes. Inevitably, a single prediction of loss will start a battle of statistics and probability debate and your request will get lost in the process. Instead, provide stakeholders with a variety of scenarios and have data to back it up. Consider whether you are a low risk company, moderately tolerant, or highly tolerant and then go to work with some calculations. Understand that you probably won't get exactly what you are asking for, but by presenting accurate potential scenarios, you might get your mid-range goal.

Step #3: Use headlines to your benefit

Most business leaders dread the thought of the "orange jumpsuit retirement program." There's a steady stream of privacy and data leakage issues that will continue to make the headlines. Make use of these "public hangings" to illustrate the real risks and move away from the incident probability statistic deadlock.

Step #4: Move your message up the chain (and sideways, too)

Consider all your potential champions and work to win them over. IT risk management isn't an exclusively IT-driven discipline. Work with the compliance team, the IT group, the legal group, the auditors, the enterprise risk management group, and the business leaders. Create cross-company initiatives to align each of these groups. This requires as much time communicating outside of IT as inside IT.

Step #5: Identify your milestones

Before going in with your request, identify three milestones you expect to meet and explain in business terms how these milestones will provide returns to both the business and to IT.

Jennie Grimes is a senior director for Symantec's IT Risk Management Program office.

1 comments
peter.novosel
peter.novosel

This is absolutely true - getting senior level sponsorship for an initiative of this sort is difficult, and can take quite a bit of political wrangling, time and energy. This has to be done over and over, too, as the needs of the business change, new initiatives are created, and as data needs to be shared between these individual systems. For these reasons, I would encourage IT professionals to consider advocating a software platform approach when confronted with a challenge as broad and subject to future change as IT Risk Management. What about other corporate Risk Management needs? What about policies and compliance? The scope of an IT Risk project can snowball quickly when you start to think through all of the data involved, the people and systems potentially impacted. My customers have advocated this approach, and have really opened my eyes as to the advantages of more cohesive, integrated solutions that have the flexibility to grow with the business. When you are going to the well for this type of project, keep future needs in mind and plan for expansion - you will save yourself time and energy, and will end up doing a service for the business as you reduce future impacts by thinking ahead. Peter Novosel VP Products Archer Technologies www.archer-tech.com

Editor's Picks