April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Can IT learn risk management from Infosec?

February 1, 2011


Recently I've met and worked with a few CIO's and helped build some IT risk management processes (note the absence of "security"). IT certainly has their hands full and encompasses many more services than the security group. In general IT's primary concerns are performance and availability (and lately cost).  They cover a lot of ground e.g. networking, monitoring, internal-external hosting, messaging, service desk, telco, dev, client, db, server, mainframe, etc. Are IT managers knowledgeable in identifying, prioritizing, and driving mitigation decisions in a regular, disciplined process? I know many are. However I know many who are too busy to stop and think about the various failure modes that may affect them now and in the future. Sounds very familiar.

Infosec includes Availability in the triad, however I think the diversity of risks to confidentiality and integrity require more discipline when predicting future loss events. As a result, many Infosec pro's thrive on identifying corner cases (failure modes), regularly assess impact and likelihood, and drive investment decisions. Infosec has to be solid because we're facilitating spending decisions on predicted events - a tough sell that requires well organized evidence, marketing, and communication. For regulated folks, some are mandated to perform enterprise risk assessments.

While security focuses on CIA, I can argue IT proper has a broader set of risk categories e.g. performance, efficiency, reliability, recoverability, scalability, agility. Many of these risk categories are generally forward-looking, business risks. Some IT shops don't have time to stop and think about possible failure modes, prioritize, plan, and act.


In my experience, more CISO's have an enterprise heatmap of security risks than CIO's have of broader IT risks. The next time you're hanging out with your IT peers, get their thoughts on your security risk heatmap and see if they'd like to have a wider IT risk heatmap and prioritization process. Might be a great opportunity to build goodwill. Ya' know, before you hit them over the head for not patching the production servers 

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags