Ask the Expert

How can service providers help with IT risk management?

Why is corporate IT risk management lacking, and how can the channel help?

    Requires Free Membership to View

IT risk management is a very different exercise than just managing and mitigating technology threats and vulnerabilities related to infrastructure. What's often missing in discussions of risk is the business impact should a condition arise that affects (at a minimum) the confidentiality, integrity or availability of the business' most important assets.

Most enterprises -- regardless of size -- have no reliable way of understanding how to prioritize their efforts and spending, as a measured result of managing risk, to an acceptable level based upon a transparent process. This is usually because they don't have a transparent process for IT risk management.

The first and most profound observation regarding the lack of a holistic risk management program is the simple lack of a repeatable, well-defined and business-driven risk assessment process using a framework that allows the business, IT, security and governance organizations to transparently participate in the process.

In many cases, putting in place a risk assessment process is thought of as too daunting, onerous and resource intensive. Some other companies seem to think that the daily firefighting and tail-chasing is the best that can be achieved when it comes to IT risk management. Meanwhile, industry risk management frameworks are often too overwhelming, and staffers have a hard time understanding where to start.

The channel can help businesses embrace the notion of managing risk by selecting a streamlined, rational and operationally feasible risk assessment framework. Service providers can master this framework and use it to both educate customers and add as a service in their portfolio offerings. Two examples are OCTAVE and FAIR.

Once you begin consistently speaking to your customers in terms of managing risk and not just threats and vulnerabilities, you will ultimately open the doors to higher-level discussions regarding opportunities that matter most to organizations. This is because the discussion becomes one that is focused on prioritizing efforts based upon the business' needs and not the technology "hamster wheel of pain" that IT has come to represent.

This was first published in March 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: