In most cases it means making a compellingly attractive business case, getting the pertinent information to the right decision makers and being sure that its written in a language they can understand.
Executive suite
IT risk management initiatives are most definitely aimed at executive attention and for good reasons. The economy has become increasingly dependent on the Internet and IT systems (the Cloud). this makes the inherent risks in these systems far more visible and potentially more significant than ever.
Risk management is a discipline with a myriad mix of interests groups and stakeholders: CIOs, CFOs, enterprise risk management teams, compliance and regulation staff, and both internal and external auditors.
Choose your words wisely
You need to aim your plan at CIO level and there are generally two types of CIOs; the executive infrastructure managers and the strategic business thinkers. The latter will succeed with their IT risk management agenda because they speak in terms of business advantages, not technology outages (Business Impact Analysis). Par example;
- Instead of talking about a "zero day threat," consider the impact of a potential incident, in terms of potential business losses. (Quantify in general terms)
- Instead of talking about RTOs and RPOs, speak in terms of lost revenue and customers during an outage. (Sales, turnover, throughput, etc)
- Instead of highlighting unimplemented ISO controls, speak about the lost communication and effectiveness of employees who need to collaborate and share information both inside and outside the firewall.
- It also doesn't hurt to point out the impact on productivity when the critical path and workflow is disrupted.
Use a High-Medium-Low spectrum of potential business loss
Part of using the right language is to help you move away from absolutes. Inevitably, a single prediction of loss will start a battle of statistics and probability debate, with the risk that your request will get lost or bound up in the process. Instead, provide stakeholders with a variety of realistic scenarios and have some good data to back it up.
Start by considering whether you are a low risk company, moderately tolerant, or highly tolerant and then you can go to work with some calculations. Be prepared to back up your recommendations with numbers. Understand that you probably won't get exactly what you are asking for, but by presenting accurate potential scenarios, you might get your mid-range goal.
Use headlines to your benefit
All of today's business leaders have been shocked by the recent headlines regarding corporate scandals and the sudden loss of freedom or career prospects that this may bring. They dread the thought of the "orange jumpsuit retirement program." and there is still a steady stream of privacy and data leakage issues that will continue to feed into the headlines.
Those held responsible, willingly or otherwise, have ranged from; unsuspecting backup administrators and employees who unwittingly left laptops in car trunks; to mid-level managers involved in publishing quarterly financial reports and executives operating with full and certain knowledge of potential breaches.
You can make good use of these "publicly displayed sacrificial offerings" to illustrate and re-enforce the real risks at stake. This will help you move away from the discussion regarding the siza, shape and probability of an incident or event and break the statistical deadlock.
Move your message up and around the chain
Identify and consider the strong players and potential champions involved. Work hard to win them over to yor way of thinking. Rememeber, IT risk management isn't an exclusively IT-driven discipline. Work with the compliance team, the IT group, the legal group, the auditors, the enterprise risk management group, and the business leaders. Create cross-company initiatives to align each of these groups. This will require as much time communicating outside of IT as inside.
Identify your milestones
Before going into an executive meeting with your precious ember of a request, identify up to three milestones you expect to meet and explain in business terms how these milestones will provide real benefits and payback to both the business and IT.
If you can, start with a proof of concept e.g. for a content filtering project. This will have much more value if users from audit, legal and a line of business are involved in choosing terms to flag, track and quarantine events. A security 'incident reporting' process may get more enthusiastic response, if users understand that increasing their awareness will help to save the company money and protect the corporate image.
Conclusion:
IT risk management will become increasingly important as key organisational stakeholders begin to see the importance and effectiveness of an ongoing program. For now, IT risk professionals and their associated colleagues can continue to work to establish a baseline program by using the right language and the right information to ensure continued support internally.
No comments:
Post a Comment