So you’ve got a project to manage the risk to your IT systems? Well, in actual fact you probably haven’t! (It’s more likely that you’re too busy dealing with incidents.) The latest Symantec IT Risk Management Report suggests that bad things are going to happen to your IT and information pretty often. In fact, 69 percent of people thought they would probably have some sort of IT incident about once a month or more (2 percent thought they’d have them every day). Sixty-two percent of people thought they would have a major IT incident and 26 percent expected to have a regulatory non-compliance incident at least once a year, while 25 percent expected data leakage from their IT systems and 8 percent thought they would have a major information loss at least once a year.
From this it’s pretty obvious that a single project isn’t going to address your risk management problems. What is needed is a more holistic approach that begins by prioritizing what must be done. First you’ve got to find out what risk is acceptable to you. This means that you have to understand which IT and information assets are important to your business. Unfortunately, only 40 percent of businesses seem to take asset classification and management seriously. Take wireless and mobile devices for instance. They’re vital to modern business, but only 34 percent of organizations believe that they have an up-to-date inventory covering these assets. When you deal with incidents you have to understand what is likely to cause serious problems. There’s an old saying that knowing yourself is the beginning of wisdom – well, in IT terms, knowing your assets has got to be the beginning of risk management.
Once you know what your assets are and how important they are to your business, you will be able to plan what actions to take when the inevitable incidents happen. Just remember that nothing stays the same in the fast-changing world of business and that a single one-off assessment and plan will not be effective for long. Therefore, a dynamic response is the only one that will keep you ahead of the game.
Previous blogs in this series:
From Myth to Reality: Evaluating the State of IT Risk Management
Dispelling Myth 1: IT Risk Management is All About Security