Q

How can service providers help with IT risk management?

IT risk management is an important part of any company's IT strategy, and service providers are well positioned to help. Learn how to speak to your customers about a larger IT risk management strategy, and not just threats and vulnerabilities. This approach will help you and your customers prioritize IT security efforts based upon the business' needs.

Why is corporate IT risk management lacking, and how can the channel help?

IT risk management is a very different exercise than just managing and mitigating technology threats and vulnerabilities related to infrastructure. What's often missing in discussions of risk is the business impact should a condition arise that affects (at a minimum) the confidentiality, integrity or availability of the business' most important assets.

Most enterprises -- regardless of size -- have no reliable way of understanding how to prioritize their efforts and spending, as a measured result of managing risk, to an acceptable level based upon a transparent process. This is usually because they don't have a transparent process for IT risk management.

The first and most profound observation regarding the lack of a holistic risk management program is the simple lack of a repeatable, well-defined and business-driven risk assessment process using a framework that allows the business, IT, security and governance organizations to transparently participate in the process.

In many cases, putting in place a risk assessment process is thought of as too daunting, onerous and resource intensive. Some other companies seem to think that the daily firefighting and tail-chasing is the best that can be achieved when it comes to IT risk management. Meanwhile, industry risk management frameworks are often too overwhelming, and staffers have a hard time understanding where to start.

The channel can help businesses embrace the notion of managing risk by selecting a streamlined, rational and operationally feasible risk assessment framework. Service providers can master this framework and use it to both educate customers and add as a service in their portfolio offerings. Two examples are OCTAVE and FAIR.

Once you begin consistently speaking to your customers in terms of managing risk and not just threats and vulnerabilities, you will ultimately open the doors to higher-level discussions regarding opportunities that matter most to organizations. This is because the discussion becomes one that is focused on prioritizing efforts based upon the business' needs and not the technology "hamster wheel of pain" that IT has come to represent.

This was first published in March 2008

Dig deeper on Introductory Security Services

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close