Put IT risk under new management

Do any Dark Reading, and you become keenly aware of cyber risk. Since helping companies manage risk is our thing, a survey on incident management trends caught our attention.

The survey in question was conducted by dimensional research. More than 400 IT professionals of organizations primarily in financial services, manufacturing, technology, and healthcare were surveyed. Their collected views paint a picture of business continually under cyber attack and IT departments under siege.

Media coverage of the survey highlighted two surprising results. Over 90 percent of large businesses reported major incidents occurred at least several times a year. Upwards of 60 percent indicated major incidents happened monthly or even more frequently.

Like most stories where the real story is behind the headlines, the same is true with the survey. Each question reveals a pain point for IT, incident management teams, and management. By adding our perspective, we can present the three major challenges and solutions for IT professionals and IT managers, as well as management and the board.

Challenge: downtime isn’t just an IT issue, it’s also a revenue risk.
Eighty-two percent of those surveyed agreed with the view that downtime equals revenue risk and its impact can be significant. This stat echoes our view at LockPath that IT risk is enterprise risk. A major IT incident that takes an application offline for minutes to hours reverberates throughout an organization and hurts the bottom line.

Solution: manage IT risk more effectively with an integrated risk management process
Organizations that excel at governance, risk management, compliance, and information security are most likely employing an integrated risk management process for managing incidents. A process powered by a GRC platform that connects organizational silos to collaboratively solve incidents, address threats and vulnerabilities, all the while improving communications between stakeholders. As a result, the risk of downtime impacting revenue is greatly reduced.

Challenge: IT is understaffed to manage incidents and IT risk.
Among companies surveyed, just over half have a major incident team. Only 44 percent have dedicated personnel for major incident management. For most IT departments, managing major incidents is reactionary. When an incident happens, it’s all hands on deck.   

Solution: technology can allow IT to be more proactive and productive.
The IT department won’t double or triple in size anytime soon. There’s a shortage of qualified information security professionals. Technology like a GRC platform can help manage the lifecycle of incidents and make IT personnel more productive in their day-to-day responsibilities.

Challenge: lack of communication is more troubling than the incident itself.
Eighty-seven percent responded that business management must be informed during major incidents. Over half cited lack of timely communication as an issue more alarming than the incident.

Solution: manage in a way that promotes fewer incidents and better communications.
If IT does a better job communicating to management outside of incidents, management might be in a more understanding mood during an incident. Also, if your organization can improve in how it manages vulnerabilities and addresses threats, you can reduce the risk of incidents happening. Focus less on incidents and more on vulnerabilities, threats and communications with management.

The risk from cyber threat is ever-growing. The rate of incident occurrence should follow in lockstep. Issues identified in the survey like incident recovery time and lack of communications are likely to persist and worsen. Look into technology solutions like GRC platforms that can address incidents holistically and make IT risk management more efficient and effective. It’s time to put IT risk under new management.  

Related Articles