Every company has risk. In fact, risk can and should be construed as a good thing-no risk, no reward. What matters is how quickly a company can accurately identify current and future risk vectors and respond to them. In fact, risk management is becoming an increasingly important facet of how well a company executes, and companies that excel at it have discovered themselves with a newfound competitive advantage.
Why aren't more companies "competing on risk?" According to a 2007 McKinsey survey, "many companies design their approach to IT around what they do-not what they could be doing." The survey goes on to reveal that leading companies approach IT investments as they would a personal finance portfolio-classifying IT purchases as low-risk (stay in the race), medium-risk (win the race), or high-risk (change the rules of the race).
Another survey, by the IT Policy Compliance Group, found three categories of enterprise IT organizations: "leaders," which they categorized as having an average of six compliance deficiencies, security-related business disruptions, or losses of sensitive data; the "norm" having an average of 17; and "laggards" averaging 65.
These surveys indicate that today's corporations are much more risk-aware than some (such as security vendors) would think, and that despite conflicting opinions about what sort of risk management metrics matter and why, there are benchmarks for measuring how effective a company's IT risk management efforts are.
So what distinguishes a leader from a laggard? Leaders are able to create the right mix of people, process and technology to implement clearly defined business processes that enable them to be more resilient amidst changing IT regulations and constantly evolving business requirements.
While process is only as good as the people and technology behind it, a good process can bring out the best in the people and technology that execute on it. As security organizations continue to adopt a more business oriented role, well thought out processes will play a key role in shaping tomorrow's risk management leaders. Below is one that's been adopted by large, heavily regulated companies. It's no panacea, but it can provide a solid starting point for any company looking to embrace a more risk-aware approach to IT:
1) Prioritize the environment-In order to effectively manage risk, you need to know what your critical IT assets are-how many servers and applications, who uses and manages them, the type of data processed and stored. Some companies measure the assets' relative importance to one another in terms of the business processes they support or the liability associated with the data they handle. Although many tools track this information, the trick is organizing it by business unit, geography, data center, product line, or some other groupings enabling analysts to use it on their terms, given how management may view risk or how an auditor may want to view compliance reports.