Skip to Content

IT Risk? There’s No Such Thing!

Dec 22, 2023
Kasper van Wersch

Only the inability to translate business risk into technological defenses.

The information processed by technology determines the risk—not the technology itself.

When it comes to protecting your business, what matters more: the security of the technology or the information it holds or processes?

When someone breaks into your house, the real pain isn’t the broken window but the stolen heirloom—your grandmother’s diamond necklace. The house (technology) can be repaired, but the necklace (information) is irreplaceable.

So, when we translate this to IT: Technology is the house, and information is the heirloom.

Understanding What to Protect

This means you must construct your technology in a way that reduces risks to the information it processes, bringing them down to an acceptable level. And that starts with understanding the information, not the tech.

But how do you do that effectively?

Recently, I worked with a team to respond to a request for proposal (RFP). A company was seeking a managed data warehouse environment, and a section of the RFP focused heavily on security and privacy—specifically how our solution would support data minimization and legitimate interest in line with EU privacy laws.

I asked the team: “Do we play any role in the customer’s business function, or are we simply providing a ‘container’ for data storage?” It turned out to be the latter. Our role was simply to provide a platform, with no responsibility for data minimization or determining legitimate interest. However, the customer was struggling to translate those privacy and security requirements into their own business processes.

By stepping back and viewing the situation through the lens of information risk, we explained to the customer that these responsibilities were theirs. This clarification not only helped us win the deal but also positioned us as a trusted partner—willing to explain, challenge assumptions, and help them assign internal accountability.

What was their real risk? It wasn’t in choosing a data storage solution, but in not knowing how to align their information processes with security and privacy requirements. This inability to translate requirements into the context of business functions leads to increased risk of non-compliance—especially with EU privacy laws. And with increased legal scrutiny, any oversight in processing information securely can result in high-impact consequences.

What Should You Do?

So, to all information owners: Don’t just ask what technology can do for you. Start with these three steps:

  1. Know your information—Identify what information is critical to your business processes.
  2. Analyze the impact if your information becomes unavailable, incorrect, or its confidentiality is breached.
  3. Determine the probability that such an impact will occur.

Remember: Risk = Probability x Impact. Without knowing both, you can’t accurately assess your risk.

The more you understand your information, the better you’ll be able to identify its impact. To determine the probability, involve people who know the business functions, not just those who manage the technology.

The Value It Brings

By doing all this, you can guide your IT team in securely processing information, reducing the likelihood of impact. Aligning these risks with your broader enterprise risk management allows for a holistic approach, making your organization more resilient and prepared.

And yes, technology plays a role—but its compliance with your information requirements is what keeps your data secure. It’s a continuous cycle of understanding, adjusting, and improving.

IT Risk Doesn’t Exist!

The term “IT risk” is a misnomer. There’s only the challenge of translating business risks—whether they be enterprise, financial, or cyber risks—into the IT environment. Does this mean IT has no responsibility for managing risk? Absolutely not. IT’s job is to reduce the likelihood of risks affecting information through technology. But the acceptable level of risk is determined by the business, not the IT department.

If IT doesn’t understand the risk, they can’t be held accountable when things go wrong. Therefore, align your risk management with IT to ensure everyone knows their role. Information shapes how technology should be built, not the other way around.

Focus on the “I” in IT, and let the “T” serve accordingly.

About the author

Senior Security Advisor | Netherlands
With great enthusiasm I have been working in IT for 25 years now. I started in sales and over the years my interest shifted to consultancy. The emphasis of my work has always been (and still is) Information and Cyber Security.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Slide to submit