Only the incapacity to translate risk to technology
What do you want to protect?
When someone breaks into your house, of course the damage to your house is annoying, but the real pain lies in the items that are stolen from your house. If your grandmothers diamond necklace is gone, that’s irreplaceable. The damage to your house is fixable.
When we translate this to IT, Technology is the house and Information is grandmother’s necklace.
This means: Construct technology in such a way that you reduce risks regarding the processing of information to an acceptable level.
Starting with information is the only way to successfully address risk. You need to first understand your information and get your information security process on track.
What should you do?
So, to all information owners: next to asking what technology can do for you, first think about what you can do for technology. Those are 3 simple and crucial steps:
Know your information.
Analyze impact in case your information becomes unavailable, incorrect, or a breach of its confidentiality occurs.
Determine the probability that impact occurs.
Keep in mind: risk = probability x impact. You cannot determine risk when one of the two is missing.
The better you understand your information, the better you will be able to determine impact. To determine probability, you need to understand who, how, where, and what processes your information.
What does it achieve?
By doing all this you are able to instruct people how to safely process your information, and to tell your IT department what requirements you have around the safe processing of your information. This will make the probability impact occurs smaller (it will not go away).
This also allows you to take the risks you determined and ask the people responsible for managing risk in your organization, to help you manage them. Your risks now become part of your organization’s enterprise/business risk management.
And yes; the worse technology complies to your requirements, the bigger the chance your information is unsafe. So, make sure the IT department understands your requirements. And do it every time your requirements alter, not just once, at the beginning. It is a continuous process.
IT risk doesn’t exist!
I don’t believe there is such thing as IT risk, only the incapacity to translate risks (enterprise/business/cyber/financial/et cetera) to the IT environment. Does this mean the IT department doesn’t have any responsibility regarding managing risk? Absolutely not! The IT department is responsible to translate risks to the IT environment. They need to make sure the possibility impact occurs through the IT environment is at an acceptable level. There is one important thing to remember: The business owner of the risk determines the acceptable level, not the IT department.
However, if the IT department doesn’t know about the risk, you cannot hold them responsible when impact occurs. Therefore, it is important to align risk management with IT.
Information determines the right construction of technology. Not the other way round.
So, when it comes to risk and IT, focus on ‘I’ and make ‘T’ work accordingly.