Technology's role in managing risk

Increasingly, today’s business leaders are using risk management to better understand the threats facing their organisation.

But technology remains a key component of risk management, and successful IT leaders are becoming adept at tailoring their system defences to the risks they face ­ thereby delivering the most cost-effective protection.

In the most recent Computing web seminar, in association with BT, our panel of experts explored how today’s leading organisations are aligning technology plans with risk assessment strategy.

Our experts were:
Martin Atherton, principal analyst, Freeform Dynamics.
Steve Benton, head of governance, risk & compliance portfolio, BT Global Services.
Andy Jones, principal research consultant, Information Security Forum.

Q: Our board has embraced the concept of risk management, but they’re less interested in funding the technology. How do I get business buy-in?

Steve Benton: My experience has been that the best approach is to talk to them about their information needs. Ask them what would help them to build risk management into their value-creating strategy for the organisation.

You then need to show them how technology can deliver timely and accurate information on risk so they can make those decisions effectively.

What often happens in organisations is information filters its way up, so risk information does reach the board level, but by the time it does it’s been summarised or it’s maybe two or three months old.

Q: Is there a danger that risk management strategies make the process needlessly complex? Wouldn’t it be better to focus on which technologies provide robust protection?

Andy Jones: There isn’t one definition of risk that we can all agree on. So at the senior management level what one person thinks of a risk can be completely different to what other people think. It’s not that the tools are complex, it’s a complex concept.

Technology has a role in mitigating risk. But a lot of risk mitigation is about what people do and that’s a cultural, behavioural thing. It’s difficult to address with technology.

One of the things we found is that the attitudes to a risk can vary greatly between head office and out in the regions. We are talking about two different attitudes to one risk. When we think about risk we tend to do it in our comfortable head office environment. For somebody working in the middle of Africa or China things look different, and their attitude to risk reflects that.

Martin Atherton: We’ve seen the different views of risk across the enterprise highlighted in research. And while the concept of central command and control works to a point, it is different in practice. So a certain amount of local autonomy is vital, otherwise you’re going to stifle the organisation or not protect users enough.

Q: The volume of compliance regulations is outstripping organisations’ ability to update their technology plans. Can compliance suites provide an effective way to deal with the volume of regulation coming on stream?

SB: There are tools out there that give you a means to get a view across your organisation. However, you want to avoid technology that ties up time and resources to get the answer.

You need to look at technologies that allow you to do a rapid assessment, to get an overall, across-the-business view to just see the nature of the gap. What impact will it have on business if we aren’t quite compliant? How long have we got to align ourselves with it? And you make it into an investment decision.

AJ: You cannot comply with all the regulations and legislation across the world. They don’t agree with each other, they don’t use the same terms, they’re mutually exclusive. So you need to take a risk-based approach to compliance.

To watch the full web seminar including presentations from our expert panel, click here

Managing risk – it’s about people, process and technology

Computing is hosting a half-day seminar in London on 18 March entitled Managing risk – it’s about people, process and technology.

Speakers include:
Marcus Alldrick, chief information security officer, Lloyd’s of London
Gary Murray, former MI5 and US government undercover agent
John Walker, director of the Information Systems Security Association
Ray Stanton, head of global security and business continuity, BT

Click here for the full agenda.

Places on this exclusive seminar and networking event are limited and available on a first-come, first-served basis. To register your interest in attending, email lucy.tarbard@incisivemedia.com.