Demystifying IT risk to achieve greater security and compliance. By Alan Bentley.

Managing IT risk is part of running any business these days. Regardless of the business, understanding IT risk helps increase network security, reduce management costs and achieve greater compliance posture.

Failure to identify, assess and mitigate IT risk sets the business up for serious security breaches and financial losses down the road. And those that think managing IT risk is the job solely of the IT staff are in for a big shock.

Companies make considerable investments in people, processes and technology to ensure their businesses run smoothly. Understanding the relationships and levels of risk among these vital assets is imperative if you want to increase network security, streamline compliance and reduce overall IT costs. The challenge for most companies is to identify a repeatable process to identify, assess and remediate IT risk without interrupting their business activities.

Today’s IT risk environment is more threatened than ever thanks to the growth in sophisticated malware attacks and security vulnerabilities, with Web 2.0 adoption adding new layers of IT risk. Regulations continue to increase, placing additional costs on organizations to meet these new requirements. Organizations need an intelligent approach when it comes to assessing IT risk and managing compliance.

What is IT risk?

IT risk can be defined as any threat to your information technology, data, critical systems and business processes.

Management has a responsibility to identify areas of control weakness and respond in a timely fashion to these by improving processes, augmenting controls and even reducing the cycle time between control testing to ensure that the organization is properly identifying and responding to IT risks. However, labour and cost constraints mean you can’t mitigate all risk. There is always some degree of residual risk, either unidentified or known but unmitigated. The problem is that many organizations don’t understand that managing their IT risk — from the shop floor to the boardroom — is critical to business success. The inherent risks in IT show up in complex and subtle ways, making IT risk management a difficult concept to communicate and manage effectively.

By aggregating and reporting on the impact of security risks within IT and understanding how these risks impact the business, security professionals can become an integral part of business decision-making process and help guide the organization to a more risk-aware culture.

Is IT risk at the board level?

According to a 2009 survey of 280 audit committee members conducted by KPMG in conjunction with the National Association of Corporate Directors, IT risk is a key area of concern. Alarmingly, 45 percent said they are only somewhat satisfied with their oversight of IT risk, and 42 percent said they are only somewhat satisfied with the quality of information they receive on IT risks. This shows a significant gap in the communication of risks between executive management and IT.

It’s critical to the IT risk management process that executives are informed of threats and assist in assessing the business impact these risks pose, and sign off on the risk position. Only when the IT and executives are aligned in the identification, assessment and remediation of IT risk can a company achieve higher levels of security and compliance.

Here is a simple four step process model that can help elevate the IT risk conversation to the appropriate business executive, aiding the decision-making process regarding IT risk posture:


The first step is to identify and classify your IT assets down to which servers hold sensitive and confidential information. But, to determine which IT assets are most important, you need to first understand the core issues that concern the business stakeholders. Risks that need to be considered include:

* Data Confidentiality

The risk that confidential or sensitive information may be mishandled or made available to those who shouldn’t have access to the data. In many regions, protection of sensitive information is required by law and is also addressed on an industry-by industry basis through organizations such as the PCI Standards Council.

* Data integrity risk

This is incurred when the underlying data is unreliable because it is incomplete, inaccurate or otherwise suspect. The cause could be deliberate tampering or simple human error, be it improper error checking on form submissions or the inappropriate configuration of a transaction server.

Regardless of the cause, the impact to the business can be considerable, especially if the erroneous data is not discovered for some time. One of the most well-known IT risks in an organization is availability. The short term loss of service due to IT systems failure has the potential to have a significant – and potentially long-lasting – impact on the daily operations of a business.

* Relevance risk

This type of risk is rarely considered, but is one of the most common types we face. It has to do with not getting the right information to the right people, processes or systems at the right time. This often means that the right action is not taken or is taken too late.

* Project risk

Essentially, an investment or expense risk: the risk that an investment made in IT will fail to provide the expected value. Frequently, the real reason IT projects fail to meet their objectives is a lack of accountability and commitment.

So, what next?

First, identify your electronic assets. This requires scanning software that can inventory your network; non IP-addressable assets (such as people and processes) require automated surveys of the key organizational areas.

Second, map IT assets to specific business processes. By understanding what your organization is trying to accomplish in the marketplace, you can establish what systems sustain that value.

In other words, you must build a complete picture of how your IT assets correlate with your business functions.


Once you have identified your assets and the outstanding IT risks to the business you can then assign controls to them, and mitigate IT risk to acceptable levels.

The only way to effectively manage growing data points is through the proper use of automation which typically focuses on gathering controls data for audit support. This results in the ability to assess the environment more frequently and has two main benefits:

* Find issues before they escalate into full blown projects; thereby controls deficiencies can be remediated as part of daily operations, as opposed to project scale endeavours.


* Know where trouble spots are before the auditors arrive, demonstrating due care and that appropriate management controls are in place.

For too long, generating and providing reports to auditors has been treated as a disruption for IT operations. However, automation enables the production of meaningful and accurate reports specifically tailored to meet auditor queries. It also reduces the amount of time spent collecting data and reporting on IT controls, and instead allows the IT team to focus on how the organization can make best use of its regulatory environment.


A commonly overlooked part of the IT risk management process is the steps taken for remediation of detected deficiencies or vulnerabilities. There are three factors that mean organizations often have limited resources to address the risks they face every day – capital, labour and time. By prioritising IT work-based upon the business impact and risk tolerances, organizations can make the best use of these scarce resources.

IT security teams need to think like a “traditional” business and demonstrate how specific remediation activities (and even bigger project-level investments) will impact the organization’s IT risk posture; thereby giving value for every penny spent. By assigning a business value to the remediation work, IT can show how the IT security spending has improved the organization’s compliance and security posture.

Once a value is assigned to controls implementation and remediation activities, it must be tracked. Through consistent (automated) testing and reporting on changes made by the remediation efforts, the positive results of those activities become clear. Trends emerge that can be used to show the audit committee and other key stakeholders that you are exercising due care in responding to the shifting regulatory and threat landscape. In time, you can show that you are continually working toward a better managed risk programme.


The aim of the management phase is to make sure there’s a common goal of operational and strategic visibility in compliance, IT risk and control environments. The main requirement is to get to know your business’ numbers.

All businesses run on numbers; the trick to making sound IT risk decisions is no different. The first step is to find useful numbers that can be gathered (ideally in an automated fashion), the second is effective measurement, and the third is to communicate those numbers to the business.

For IT risk, it may seem logical to start with metrics generated by IT or information security; however, this is not the whole picture. Look elsewhere in the business to see the impact of IT operations and effective security and compliance activities. Using the numbers generated by those business units ensures that your success aligns with theirs. This way, metrics for compliance and risk management are received in a language the stakeholders can understand.

By frequently monitoring these numbers, you will have real-time situational awareness of compliance and IT risk processes. Long gaps in measurement can potentially undermine both the numbers’ validity and the security department’s credibility. That’s why it’s important to automate wherever possible to ensure that you are getting regular good quality data without overburdening staff or inefficiently using limited resources.

Frequent measuring of IT risk indicators allows the organization to spot trends, highlighting under- or over-performing areas of the enterprise. The organization can then target areas that are underperforming and remediate well in advance of an audit to show that management has insight into those areas and is exercising due care.

Once the data starts streaming in, continue to engage those parts of the business that have been tapped for that data. This showcases the value of high-quality IT risk management, and provides a phenomenal platform from which to grow your influence and involvement in guiding IT risk decisions and improving your organization’s overall risk posture.

By assigning a value to the metrics you are tracking, you can build confidence within the business for your IT risk decisions. When pointing out high-risk areas to the stakeholders it is far better to avoid selling ‘fear’. Instead, use solid metrics to build a stable base of credibility and business alignment that will pay dividends for years to come.


To effectively understand and communicate IT risk, the IT team needs to think and act like a business. By following this simple four-step framework, you can drive value in the IT risk management process for your organization.

Remember to keep these tips in mind when using the framework:

* Relate IT risks to business goals

* Utilise good numbers to support prioritisation and remediation efforts

* Report on those numbers and highlight trends to demonstrate continued insight into critical areas

* Keep the business engaged to create support and executive involvement

IT organizations can take the lead in identifying, assessing, remediating and managing IT risk when they use the right tools. The result of this allows companies to increase network security, reduce management costs and achieve greater compliance by effectively assessing and classifying IT risk.

Copyrights @2009 - 2021 by