We’ve blogged frequently on the topic of IT risk management, most recently here. With recent events highlighting the need for better risk management, now, more than ever, people are thinking about how to improve their processes and technology for supporting their risk management programs. Ben Worthen over at the WSJ BizTech blog has written recently that tech departments shortchange risk management. We couldn’t agree more.
The basic problem, as Symantec’s Samir Kapuria notes via Ben’s post, is that IT tends to think of risk management as a project vs. a continuous process. This may be the result of the fact that most IT infrastructure vendors sell risk management for project delivery but don’t really have solutions that allow IT to take a risk-based approach to all their activities. It may also be the result of IT having to keep everything running, all the time. Regardless, unless you start with a top-down approach using a risk assessment process, identifying which vulnerabilities match to the most significant potential business impacts, you will never be able to allocate IT resources appropriately. Once you understand how realized risks will impact the business, you can take a truly risk-based approach to IT management. Obviously, we have a horse in this race, but any effort to tackle the IT risk management challenge must involve the business and identify the key risks therein.