Participants discussed their experience and came up with a series of best practice tips for IT leaders to focus on to develop their own plans to protect and secure the business:
Back to basics
Risk management is all about going back to basics which, in turn, is all
about inclusion and a holistic approach. As we are sharing information, we’ve
got to be careful to create a balance and not to add too much control that might
stop the desire for innovation.
Colin Windsor, chief
information officer, Openreach
I think the holistic view is crucial we need to consider people, process,
technology and governance in combination. We’re constantly struggling with human
nature and the issues surrounding new social networking technologies. Each
individual will look at risk from their own individual view point. It is
essential we get ownership right and the people marshalled so the right rules
are in place.
Tony Marshall, interim risk manager working for central government
People need to learn. If individuals begin to care enough for their own data,
then maybe more people will care about business information.
Ray Stanton, global head of BT’s
business continuity, security and governance practice
Leadership
The buck stops with the board. If we are going to address IT and data
security, we have a duty to make sure the board is aware and that they have
decided on the monetary value of information. The board needs to tell us what
they want to protect so that we can implement the right tools to address the
business elements of risk.
Amir Mohazab, head of IT,
Protiviti
We’re talking about the ability of IT to influence the business and we need
to consider whether IT has a high enough profile. Are IT directors actually on
the executive board of companies? Traditionally, the board representation of IT
is not all that it might have been and that is often still the case today.
Paul Graham, partner,
Dundas and Wilson LLP
Education
The IT industry has a propensity to beat itself up when it comes to security
problems and to take on business-related problems. We’re basically talking about
human failings and that brings us back to issues of process and the correct
training of individuals.
Richard Stephens,
principal, Lors Online
Effective risk management is all about education and leadership. We need to
concentrate on the actions of individuals, which can cause a security breach and
a loss of information. As has happened with security and virus control, we’ve
got to start putting out some simple messages and educate the people so that
risk management is ingrained into the culture.
Peter James, chief
information officer, Achilles Information Limited
Risk is a threat that runs through a public sector organisation and we
sometimes don’t analyse the processes correctly. Organisations can become
complacent with regards to staying refreshed with key issues and disseminating
information to staff. The high-profile data loss incidents have shown to public
sector staff that they need to tighten their processes to ensure such incidents
do not happen again. We must say that we have learnt a lesson and move forward.
Kash Akram,
director of business development, Cromwell College of IT and Management
People and processes
Risk management is all about people and processes and technology is only
the final part. We’re probably pretty good at learning, but we’re not very good
at the training and development because we’ve always got something else to
learn. Such an approach means you never actually develop the best practice
within the business. We just need to create an effective balance between the
business and IT, because business actually has an appetite for risk and that
is how it gets a competitive advantage.
Que Tran, IT solutions
director, Synovate
Without good risk management, you cannot work out the best way to allocate
your resources. You cannot terminate all risk, obviously and you need to
manage it. Without undertaking a process of quantifying the risk, it will be
impossible to work out which areas you should focus on.
Mark Hughes, director, BT Group
security
Roles and responsibilities
Roles and responsibilities really need to be clear and responsibility for
risk within the business can’t possibly be with IT. If you address the risks
that you can foresee, you will also be addressing most of the risks that you
cannot foresee. So, just be active in managing risk.
Kevin Davies, head of
information strategy and policy, Highways Agency
As the executives of the business, I think we’ve got two responsibilities.
One is to make the business aware of the risk in terms of compliance, governance
and measurement. When we go to our business colleagues, we always complain that
they cannot tell us what they want. Well, we need to help them tell us what they
want. Second, we have a duty as managers to implement the right processes to
mitigate some of the risk.
John Wishney, interim executive director
Managing risk: http://managing risk.computing.co.uk
reader comments