Business risk and IT security teams must work together, because there is no such thing as IT risk, only business risk.
OCEG and MetricStream have made available a free illustration on the topic of How Business, IT and Security Teams Gain a Common View of Risk:
As usual, there are some good points in the OCEH/MetricStream work.
But, also as usual, I have some problems.
There is no such thing as IT risk, nor cyber risk or information security risk. These are just sources of business risk.
We should be concerned about how a failure to manage any of these areas might affect the achievement of business objectives.
Let’s take two situations.
In the first, the company is about to release a breakthrough new product.
In the second, the company is mid-cycle on its latest release and is starting to consider how to move forward in the next generation.
In both cases, success of the business is dependent on keeping its intellectual property (details about its product and related marketing and sales plans) safe. The likelihood of a breach and subsequent theft of its IP is identical.
But the effect on the business, and therefore the level of risk, is far more in the first than the second case.
It is fairly easy to come up with similar scenarios. Consider a retail chain and its dependency on the reliability of its computer systems. First, think of the level of risk should the systems go down mid-week in February. Now think of the level of risk should they fail during the week prior to Xmas or Thanksgiving.
How about a start-up company that finds out that its financial systems have been penetrated by a crime syndicate? Is the risk the same six months before going to investment banks and starting the process to go public as it would be in the midst of a public offering? Clearly not.
Yes, all of the groups included in the illustration need to be working together. But let’s add in the strategy and planning groups, operating management, and perhaps everybody else.
You need to consider how a failure in the use or management of technology could affect the operation of the business today and in the future if you want to manage risks (and their sources) effectively.
Take each of your business objectives and plans. Now, figure out what might result from a technology-related failure (noting that ‘technology’ extends beyond the IT function). Then, what are you going to do about it?
I welcome your comments.
BTW, I strongly recommend joining OCEG (www.oceg.org). Membership of the nonprofit is free and there are lots of resources, including webinars.
 Full disclosure: I have worked with both but am independent.
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022
- Is there an effective risk culture? - April 20, 2022