|
|
|
How to Begin IT Risk Management: Five Steps to Getting What You Want
By: Jennie Grimes
2008-01-16
Article Rating:  / 12
There are 0 user comments on this Network Security & Hardware story.
What does it take to get attention for IT initiatives in today's enterprise? In most cases, according to Symantec Senior Director Jennie Grimes, it means making a compelling business caseand getting the right information to the right people in the right language.IT risk management initiatives are definitely worthy of executive attention. Our economy is increasingly dependent on the Internet and IT systems, making the risks in these systems far more visible and significant than ever. But, it's a discipline with a myriad of stakeholders: CIOs, CISOs, enterprise risk management teams, compliance and regulation staff, and internal and external auditors.
Step #1: Choose your words wisely
There are two types of CIOsinfrastructure managers and strategic thinkers. The latter will succeed with their IT risk management agenda because they speak in terms of business advantages, not outages.
For example, rather than talking about a "zero day threat," consider simulating the impact of a potential incident in terms of potential business loss. Instead of talking about RTOs and RPOs, speak in terms of lost revenue and customers during an outage. Instead of highlighting unimplemented ISO controls, speak about the lost effectiveness of employees who need to share information both inside and outside the firewall. It also doesn't hurt to point out the impact on productivity when employees can't effectively share information effectively.
Step #2: Use a High-Medium-Low spectrum of potential business loss
Part of using the right language is moving away from absolutes. Inevitably, a single prediction of loss will start a battle of statistics and probability debate and your request will get lost in the process. Instead, provide stakeholders with a variety of scenarios and have data to back it up. Consider whether you are a low risk company, moderately tolerant, or highly tolerant and then go to work with some calculations. Come prepared to back up your recommendations with numbers. Understand that you probably won't get exactly what you are asking for, but by presenting accurate potential scenarios, you might get your mid-range goal.
Step #3: Use headlines to your benefit
Many of today's business leaders dread the thought of the "orange jumpsuit retirement program." There's a steady stream of privacy and data leakage issues that will continue to make the headlines. Those held responsible have ranged from unsuspecting backup administrators to employees who unwittingly left laptops in car trunks to mid-level managers involved in publishing quarterly financial reports to executives operating with full knowledge of potential breaches. Make use of these "public hangings" to illustrate the real risks and move away from the incident probability statistic deadlock.
Step #4: Move your message up the chain (and sideways, too)
Consider all your potential champions and work to win them over. IT risk management isn't an exclusively IT-driven discipline. Work with the compliance team, the IT group, the legal group, the auditors, the enterprise risk management group, and the business leaders. Create cross-company initiatives to align each of these groups. This requires as much time communicating outside of IT as inside IT.
Step #5: Identify your milestones
Before going in with your request, identify three milestones you expect to meet and explain in business terms how these milestones will provide returns to both the business and to IT.
For example, starting with a proof of concept for a content filtering project will have much more value if users from audit, legal and a line of business are involved in choosing terms to flag, track and quarantine. A security incident reporting process may get more enthusiastic response if users understand that increasing their awareness helps save corporate dollars and image.
Conclusion:
IT risk management will become increasingly important as key organizational stakeholders begin to see the importance of an ongoing program. In the mean time, IT risk professionals can colleagues and establish a baseline program by using the right language and the right information to garner support internally.
Jennie Grimes is a senior director for Symantec's IT Risk Management Program office.
|
|
�������x}ks6*�Q3{LQG-y�ZNVP$$1H.I�˩'o�҃H&{��6�Fh|Ggo�D.�0 :ܢd�C�3齿O$w�m��L9PK�Ϡ^=W�Zj:@a5˜Nz���q@^cFw��D%x�_��@jO @�.Rs2
j9�9&ԗ�7'x2 X�m 8�kzZC'A�jw��-Z P8"�X.�{D~,�
Du�XqL��ǎ�H+�*#'�x8Ӽi/DaOXHz5"x<&J��;^7�;�z~;B�
1V9`T�K]K{<"#oAUD�25v!6^��@^��c\ȁy4�_
*YNrD�FL�$�jE$ӤRcf�=�9�Qw^C]ݱ���R,RE͌i�:gj�5[gb}ױ}ǣ��.&�$gtj��L_FB?$fR[8�=/�y�y��dPt[dq=�ɲf
g�3nmަ[ǪR.�BX-U��cx>oچs[=0q*sܼǟ�a9ʑ�GA
Gf�mGkh[Nv^Ԣz�C^�}n_\G��@$HcA~N7&�Z.��JX<%�|a�Om@t:A�XsEF j�|%rX:,�X-�]jz[zOaF`%�pfQ!2I}2h}}uɠ}z~ri!|c9̠T
PAfPKe+��ԩZuܜn9n:MIs#+|q��5�0\6:}Z:�['^=:$?,rG=����j�iT�%%�VtM�usJr,�Oe5h���پBd}#�7��ReQ
�oȱn>�@|Ӡd6
2T��ch^�ԩ#5ۯhV9<<䭱JG+Ҕj�
�9B��A`�ܼN�49�Vϡ�8蟩$W�m�4�@r1�YSl �RMFoB@{�e��,�}PEtBAͨO��${3BD�ȝ`g�/3�A.r)i ��`o8{ØWX*\�E9Gm'!|Аd6ml�-ƹ�h$�
,70}Hg@z�¤ �WX8<�c�O�v�/|�\aP���n=��j$
nh��-D��v|@9�HhQ0<�sx0ܙ[3σ�@�c`���V���PAX��' 6)���X.�s�6Gv62-0���s�R�|'sZ(�7^`@=JI �# E�EK�y3@� $h�5N`��z���<�
�ŊH~ޑ�vR.%r��P.o=!ԑtLR.?Kh3aGe�-n^
$�d6g2+IMiG]W-&D7r"e�.G 7Kᙖ6ZlZe
y-0f�L>hQox@�}0hk3S)4�ٜi893�@�0>A̞P��,[Xr�ww,_zt?8d�Gc�NEi^s_o2E- �P.�ܼ?
b>Ȝ 8C��_gM������Y�h(d'pC!f4Sy*$,T�B�UR���լ
LqG).ESgFl㜜3F]s;tO��_f]ZЬ{{#Uע�m�H_Ơ\>�.
B[+�(� M��2%W��}ka %/D�A
n:\\1,#
l,>F4~hN/a2*)w4�P�:6b8dOͱI
v�GQ"��O�G,-3VV�jXU�+RY;l�� �ʸS�IՐ6 [IF|t�|:.�MKϱ("}�r3�6O�����=<�f�q��Ea)e�-6BUjbg`m1J�x=e\4�8�L XbOF�]F��Kzf/.,��KY{yMٓ.B�|vn�N Br�S��hfh:6-��<͝lRF_a֚i�ofJPTIO9&�_G5�k�^��ˣ�Wر,>2躢ƍG�Ʊ4]��bJtM{��
@�Q�Qo�>�U�\��!EX+Lb�8l^x�}udN`'\sW�[�"�L��Jm#Μi-L,*I�-b],�* O1�kM8v�هE>'{E;�
����7�a/S"X @54�ÀF>�B�OZq�1�-b�P*��B$f�E�P�`u0$PoXL�+*�9O>pϟ��
sFWyYF濘?O�~ԪbVm&ZQrTUh�1Gq�)4Ku�)�;u�3}h�1{KpHo(����gn�!W#s3/'x�1{h'0`�S� �+R?�̑<]I0�K1SlcSxt$�b*��ZAU�[�+[3]>�F����]h���C\4�<�}o�S�4�pf
mWq>[J�ZJwg 唟`�Zp[zGs�8-"��,re=QeTVQqi?r;d跸2]
Q�|z0fƏ^W�L�uP=��ʚwZu^�_쥠]hDA�j`��
Нv;#ؐCKAm1ʯ!'�8՞o��F* ϛ=G$1�*@7Z �ɖvgV �Նgy�gf7ܪ�+_M�}S�ey ܛZI�h�`�%g\QJkh�{9�^@HpfGi�*�}䯖gQ�!p<7��Mt"�w]Qr.�_�c2�
s*?�<�)[36p321˓~\�Sc\O U�lGOpODo "[;A�9db:9Ki[2|'@�d��k�Ѫ�93
�NQ&gn|0��fwrʣ:u�߀&��@q}c��n#2v"9iZB*>�_l6a9L�n7[rR)Y���
1ct�864>s'Si
mmSQ
Cz�<�h93$KLfЮ%�H�?k798$mv_&*|)2S�G�6Z|bR�.3Zy�+�jJX�Jz L�5|�5O��C� 7P�kZ]#~{�$}�=բ,@�6ud*ŪR.$�y�U;*6X+(#t�+^��۹a
m.E<�9[ �1ķ�ʨTI�SW".wD<�7Ϩ�3�}Nb�
��4PG��teWՄθ�4;aʿͭGXLd;Ͳ6�ڤi��D@kXJ3dVVTXI05I-֊R{�����2`>U~�UL&2��%SS]����8_`rOn{W9Ԍ!0�J$GR%*m\䎿ߓJtMÀ>zA�R�Q�=Yr�r�ZR��`7�'�ɠ��K=� �J�\|V
n�i*���7�2�4Hv4|7��Nys)>])crѹlKIcxޕx\Mc�R?!hSHӋv:<�f�Sڎ7�M,#rz�KwD!uM@�}]לY0z!B3p%qUYhr!slPh�Mنo{+^�+[���5�̀o $��`��P8���� c@JA=�VohuW�/i�{k�D-�@�X�:�e�}E/R)Q\(뉞�OYY}ڻnr�lo�}AǯJN�~v�Z-[I7S+t,c=]/8�ʚ��=�?M��Nju>�!�����>48r㿜yQ$�a�a�f�AZ}n_��i�Ԏ8%4�\("�1O[bt#1��B
R"f(5�MF]�kցG39^)N yuxȠ#%tBU]+-R!EkE��wW�U��TO��E:'%��mK`!i�>R_{+�!bi4V3XTc��\J�%�(A!��A$J�WU/G,O"E)o&�|x�Fg!s�V",t��>�p=5]_�+EEY��t+~�C$�"K��bZ,� U�z�'�r�,m_fj)X���ҙ��2E)p0f>Zkl$� Pf$�IOHHm;زTԭR$L�C:$�KЬ0%��K%�gJE�bNEZ��<`�0'� �%~-zq�پ덭p�KB2���E�mo9RR��Ϛ��Z'�~!R|�Fˑd@cO0u[�n�KWY�?�-a��w�pf!)%*��b� T ��e��tO�BSz�C�cHR^`�_��GC³�6ooooogpXV�uq�)Ë6�
&S�34��a*:�{QPL{�T,^^&w�u�_�0�⡎���{��>K�*F~�m�{KV{1�h�AO
g7rׁ,XE2{�?�yD�`�vRİZ�ǐ�&|e�.3x�0[ri57�DW�@�i?>�˞A�Ͷn I_m�=fn;t}��
Hv
�G� �5�EnٽƖ�_�W`H�B��F7�qбUB�uӶ'�L�HW[K^@?Ln0%zX()pԥ�AP', ��\?jJDl]#Nݢu:vt(Ar{irIXZ1gTP˷˗f
Ϊ�s7�C�/$G�T0+�>A�W�W�kMW�c�?p�W?VKjoi�ڌ���}y:M����ymnmo
QS=6۬7oôIvJ}m^&嵙��n{{�ŷi�k`�Wݲ::�/=ua�Y�ujسGg�]6#c5��K`2|6L�0W?�%4�C2CbMB$486o�3&e<�-~)l%�=|�)]b98Z"Oޅ�.��/cc�>U&9�E
~$3o^K}�ԭ
V��Ɨy�0ҚX�'�h�C4�wb�%1Y~�Gj�w�.P5y>S@
aFW g9ܨ`�/+o;*�h�(Neã�EA@���,���~V�xrVLv��#�k'>�iHGuط|��RP�y!�Fv�{�Kb+nJ7{$qяhk+j5.��A�^�NuB�cZrD,?��t�UH�H�^XA0ě4p�D]�bɠ:n&ֵb�KfR�lLj-u=�h�h�,vxWȥkpL1UZ8TVK.>%��܋%ӊ,ƻ.c
2�u5WHk̘xp4�vlNz� yԥ�BM�8EwuTChR��xm�ku�9mnbfƆX5�0�Vz^3XvX5��Vڹ곴q� yK-y�-�J4sS%77�Y}y�Ep�T�h
�p�K��_܉)r��'�2�ZK`miX�{>H�'ܪzB��9I�f�ZZvw�^S�UVRR7
�_$`�Z%�xJkNB�.{�z^{noyJmͳ�y,t�
kHч%d�Lfd�O�}TK;e�w[ʏ>aX���pr�|q_o�ZQ�qV .&hP�jߙc{/:OyZܞ��=xSXYrV7"-^a�}oˊRMȶ8�ҽ]���F
Rt
3�}$皭٦v� lG�сH.M
?^J u+WQiA�9U�MZ�8.\SG%G\0]�v}Uh%!mF(��ŧqS,�4pB!1
\�TcЭ�B)˪M;InP}sY?e=`
�'�24/x߽[!ʃZ+=Nl~#�&C*�3�;m�'B't�Mx'9�7W0�O;�}dX8T��D~.�Nɇ�d�>�M��x\Lґ!כ��m;A=~3}DLRO����:\�q\ؐ�!,E||0XV$ʽO��g-�(4�=
Oh(�!'vQ]Q
s�9<�Q'3I:�ϪC^���&
[�>�B8!�iB8z}_8,�1G#s~�#:�́�lZ4���"F��2*mGM=�~I79k[ �45`Bx$l��d
�D�x,0sf��I@�s<�3Dt�"5L[lFLN�N�&~�\11Faŷ~(�l�C�;b21c|>O~�9O�H"4Ȥ�(Jg
"P�V:�
�B|~L�!�RBtSҟ�ͭ�03�L�\��X�ej��xp�K-c8=�Sܕɭو�x*��df�N�,yǥ}-AGjp ��H�:ς��s!aZ;<�Q6IB�u�XRFB(6s�
��מOF릧=�zwj꾌���B�h),f,�])B9|�Ե�>��|�+R0���7�oS�w��2Vq��L�z%rEeW0`A='92fg44\�K�
L]; �&O=lFLf�r5WW�_Y4uMNםAwIN��<Մm-�J-�:'֗es9;7<1(kyl2_T
ΓQ�9lvNS�ʙ`Q{µ,�%�E��wDE 3@cqq�^ LُO3@)Qe;�\VCT�ĨҫSi�0LLL�7[vfS+�t�_6Пxu3�KM:FyS�Pq��r:X)`�чzIg 3��b�Q߾h�Hﲝk&5+ۼ�v(��33ʯz}i�8Qރ^F9r`}y�hjgB3Y�}>��2 ?/?�Vie�~�?ӹ(�;����_���fF7c|nF���͠o�͠O��]n�^f3(?A2ʻP(�K����z_z�
*?3�g�g�7?�?�}P9�9~3w�7Y7�{�d�wɹN2!(ofY
�No\�8'�\$_��YWAa uyQ~��R�~v�X^eйR5
Я!�ߗ�w2~2A\Zu
CFWT=k */dm4Zk8VӮnq_l(Σ�_xi� �+I%<"x��ǹW4<< X)rnmTVl<- �5Q3[� C?�s
H84�{�Vj?f�>t�|aO��vHy1j~h|V/O��q<�9s�Yu8��%��
H-M�ԳpNR�?�kj �-B9jhN_i{�sn`'ߛ8�,@�ꖉ�$us#RRՒRJZVr%Hd�/8 "2��fDQe �jr�o9�Z)�KUrF(�RB�4|O۴W)]74Csc<{�+4�аY-}�"0��^?&G'&^l�u�]1] {7�/�tj^"_��{_۱�B��
�R1��1@e^*q0*j>b%Q<;әC:9mc5:tp)
߄`-kD҃yhp䓿�t89ri;Ìs,�i܁z~�4@;4�Dմ)9P�9'a�̀4WЫ�HWs. hJ/.ӡGxw�#K�Q,V,uTmjaV.
50=_�SP2-�#6O,�UE,%w|\t�t_.c˃]`�so�r:=fG�<0�;��V.�w7��
pI�(�q�0s�-\B�n�!���פ`Dy�
{�]ӧ2�/Hn{J �1-��D=a��틷@&�YL�Ar2���Fdu#�aq�1ldf~x8yl�j"\طÏ }]pz5sʱ
Eɮ[nܙ5LICœj@@rv/l> 9�KR
O"Kw`/Fx�i(�N"M�aџ�D��O�]Wn�BaIg�i�M~=��̯��9?`&<�aϦ,|Ŷ�/�G+I'�kQ����`8'.2](ga�O�?��T|-
5��V�(
�3Eϩf�Sr�ޔN�A&{g&˝ɿ\4fR*4$NS��xsE�z�?X \��cwH�V�Lt>;Oulם@�
d�d��^�M�-e~��=-���)0�p,\f�tOG#6�CF|�eKo��y|w!zQ�`+��슧�~���0qGĶ2C|R4Ϝepv��Rv������?93ϭ69~gs�g_(L�Wv:�mmlP/>yGW}Q'�a|dt%+^FzHM`WH{�XiW��e1�bd+q=3�ӲG(q}",@P�Sѥ+�K�ei$Vi��npSGg�hp#b���u�u+e!.��1�:�f.XݫlׁQ#nHWT�FE®":u`x]j
|Ua=v�5�ϰ|3'5c��gb@8f�{9r+��o=Љe��_�{0^ζpN&}+\�D�I
qk.-�ua4,Lb9��"[^QI�(`�xph;?�҈>A� wVǰ�=BLN��Po�3pRaL ��$b[и�gvC�%�z1�w�~X0�~v19�&Y�>�6�s�3a=�`>��.<�ȳ�(`F,��Lv"V�m9rsh{h۟ZsTHهl*~��&��,{+�нT~xFK-^8Q�>�χ"@�Ԃ+"e��})IDy�)/ρ/�Q>I*g\@qea���Vt*N�/� P.�Y۹rC*g��Uώ7a}BeFBl4*�7·ъE:�?#KoyIާ˖�VP�)Z�NN`��)Xfչ�%ȕ/�2F#x�oU��AtM��z'14m�2�HZ�\aT+nu; o]��F'e1R�>\J�BS+$�X/WfLN�ƇZʾ �w�6�6BKFslx�6�1��$*��
|
Network Security & Hardware 
