News

06:25 PM
Connect Directly
RSS
E-Mail
50%
50%

Rise Of Risk Management

The bad guys have stealth, time, and numbers. Fighting back requires our own unified front.

In the words of a fellow Chicagoan, never let a good crisis go to waste. A unique convergence of circumstances makes this the perfect time to bring IT and business units together under the flag of a risk-oriented approach to security. Economic stress and cutthroat competition on a global scale mean every dollar you spend on security had better matter. When the bad guys make news, it's big news: Just the speculation back in December that WikiLeaks might reveal Bank of America data, for example, briefly sent the company's stock down 3%, before it bounced back. Executives are increasingly being held personally accountable, and unified risk management as a discipline is finally reaching maturity.

Plus, the money is there. Thirty-five percent of the 563 respondents to our InformationWeek Analytics IT Risk Management Survey say their companies' IT risk management programs will get more funding in 2011 than they did last year. Very few will see cuts.

We've been talking the risk talk for years. Now it's time to walk the walk, as a team.

What does that mean, exactly? We need to articulate the value proposition for our security spending--what the business is gaining--in a manner executive management can digest. Sure, there's been pressure before to associate business risks and the cost of corresponding controls, and plenty of CISOs have slung plenty of shaky financials.

Drop the charade. Commit to shifting the focus from fire drills to the business of information security, and you can finally move from being a cost center to a strategic asset that delivers a real competitive advantage. "Our holistic program for identifying and managing IT risk has moved our culture from risk awareness to risk intelligence," says a director at a medical device company. "We have been able to educate the business and help them understand that IT risk is business risk."

Company size and vertical industry don't matter here. Large enterprises have skin in this game because their executives are accountable and their reputations are on the line. Smaller businesses that provide services or products to large enterprises care because their customers expect them to meet rules and regulations, whether PCI, HIPAA, or state-level data privacy laws. Bouncing from one tactical project to another without a master plan is a losing proposition. We've found that companies that manage risk more effectively than their peers perform better financially--in any economy.

Tenets of Risk Oriented Security

Become an InformationWeek Analytics subscriber and get our full report on risk management.
This report includes 40-plus pages of action-oriented analysis packed with 24 charts. What you'll find:
  • Seven ways that enterprises prioritize assets
  • Five business-oriented goals and how they tie in to IT risk management programs
  • How to build an IT risk universe, then get buy in
  • Guide to choosing a framework
Get This And All Our Reports


Previous
1 of 6
Next
Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed