You cannot have successful Enterprise Risk Management (ERM) without strong IT risk management. IT has found itself at the center of all business like never before. Likewise, each and every day we are seeing an increasing number of threats to privacy and information. A a recent survey by Carnegie Mellon University’ CyLab is the basis of this article by John A. Wheeler. The answers provided by 66 respondents at the board or senior executive level from Fortune 1000 companies has been compiled by Wheeler into these 10 steps to better IT risk management.
For instance, the study showed how enterprise security was lacking almost universally among the respondent's companies. Wheeler believes that by following these ten steps, companies can turn this trend around. The first two steps are to establish a separate risk committee and ensure that “privacy and security roles within the organization are separated and responsibilities are appropriately assigned. The next three steps, according to Wheeler, are to take an inventory of what you are working with and review:
Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO (or CRO), the CPO, and business line executives. Review existing top-level policies to create a culture of security and respect for privacy. Organizations can enhance their reputation by valuing cyber security and the protection of privacy and viewing these as corporate social responsibilities. Review the components of the organization’s security program and ensure that it comports with best practices and standards and includes incident response, disaster recovery, and breach response plans.
It is also important, as Wheeler notes, to have outside bodies in tune with your privacy and security needs. Establishing such requirements for vendors based on the needs of your company is wise. Also, your organization should be conducting annual audits to ensure that the enterprise security system is on track. In addition, a separate annual review is advised to gauge the effectiveness of controls. This is a good way to identify any faults or weaknesses that may exist. In fact, keeping regular reports is a solid step towards more successful ERM in general. According to Wheeler, these include annual privacy compliance audits and budget reviews. Not only will you see how well risks are managed, but you will also have a better idea of what impact the costs of these risks have on your company.
Successful enterprise risk management is no easy thing. However, following these ten tips put forth by Wheeler as well as the survey from Carnegie Mellon University’s CyLab will set you on the path to better IT Risk Management. We will likely see privacy threats and information security issues become greater and greater in the years to come, but there is hope. Staying ahead of the curve using these ten tips just may give you and your organization the competitive edge needed for success and growth.