Historically, "Corporate risk management refers to all of the methods that a company uses to minimize financial losses. Risk managers, executives, line managers and middle managers, as well as all employees, perform practices to prevent loss exposure through internal controls of people and technologies. Risk management also relates to external threats to a corporation, such as the fluctuations in the financial market that affect its financial assets."
This definition still holds true—but what is changing are the practices that IT managers at all levels need in order to perform risk management.
So, what's new in risk management? See below the four things that IT managers need to pay attention to and what to do about it.
SEE: IT leader's guide to big data security (Tech Pro Research)
The primary risks managers have always had with employees include: Not being able to keep key positions staffed; and losing a key employee. Both directly affect keeping department morale, staffing and projects going.
Now there is a new threat that jeopardizes company information, brought on by either disgruntled or uninformed employees.
"Insiders...have access to sensitive information on a regular basis, and may know how that information is protected," said Joseph Steinberg, cybersecurity expert and entrepreneur. "If they want to steal it or leak it, they can usually do so with far greater ease than outsiders. Furthermore, insiders may also accidentally leak data or otherwise put it at risk—something that outsiders typically cannot do. Whether by attaching the wrong file to an email being sent, oversharing on social media, losing a laptop or USB drive, or through some other mistake, insiders can put an organization's data at risk with little effort."
Solution: Keep employees briefed on company data security policies and the repercussions of violating them. Have employees sign employment agreements that clearly explain that company property and information are not to be shared. Implement zero trust networks that continuously monitor who is accessing data, and only admit those who have the right access permissions.
SEE: Vendor relationship management checklist (Tech Pro Research)
2. Cloud vendors
As companies move applications and data to the cloud, there is a looming problem with disaster recovery. What is your cloud provider's plan—or your provider's third party cloud platform's plan, if a service outage occurs?
Many SaaS vendors don't own their own clouds. They contract for cloud infrastructure with a third party (e.g., Azure, AWS, etc.) that you don't have direct contract with. If there is an outage at the third-party site, you have very little leverage. This exposes you to risk.
Solution: Ask your cloud vendors if they own their own cloud before you sign with them. If they don't, ask them what happens if their third party experiences an outage and who is responsible. If you aren't satisfied with the answer, and you still want to sign with them, present the risk to your CEO and the board before signing so that they are aware. Also consider the possibility of keeping a small on-premises system that you can fail over to if needed.
SEE: Shadow IT policy (Tech Pro Research)
3. Shadow IT
As Shadow IT grows in companies, business users bring in new technology and bypass IT. When this happens, new vendors IT might not know about and new front and back doors into company data that aren't adequately secured begin to appear.
Solution: Use network asset management software that identifies any new resource when it comes onboard so you can meet with users and secure the new asset. Also use zero trust networks that don't admit users to IT resources unless they have the right security permissions.
4. Social media brand damage
Social media brand slamming is usually a marketing or a PR headache, but IT can help in proactive ways to stave off brand slamming before it gathers momentum.
Solution: Procure a social media monitoring software that tracks what is said about your company and its products on various social media channels. In this way, marketing can respond before too much adverse momentum builds. IT should also coordinate closely with marketing/PR in a disaster recovery situation, because marketing/PR should get messages out about the disaster to stakeholders, customers, and the media.
- How to create an effective risk management plan (TechRepublic)
- 3 ways to reduce IT issues from impacting downtime, security risks, and costs (TechRepublic)
- Data governance: How to maintain innovation while managing risks (ZDNet)
- 10 ways to develop cybersecurity policies and best practices (ZDNet)
- Data recovery do's and don'ts for IT teams (TechRepublic)
- The best password managers for 2018 (CNET)
Mary E. Shacklett is president of Transworld Data, a technology research and market development firm. Prior to founding the company, Mary was Senior Vice President of Marketing and Technology at TCCU, Inc., a financial services firm; Vice President of Product Research and Software Development for Summit Information Systems, a computer software company; and Vice President of Strategic Planning and Technology at FSI International, a multinational manufacturing company in the semiconductor industry. Mary is a keynote speaker and has more than 1,000 articles, research studies, and technology publications in print.