Skip to content
Risk management
Sean McCloat, CISSP August 1, 2018 6 min read

How Risk Management Can Improve Your Company's IT

As an IT manager, you may think of risk management as outside your purview. That's a mistake.

Risk management should not be confined to the finance or accounting department at your company. Nor is it only for companies with their own risk management team led by a Chief Risk Officer to worry about.

Instead, as the person responsible for IT at your company, you need to think about how you can protect your organization from a technology standpoint. What keeps the business up and running?

Before We Get to Cybersecurity

It can be overwhelming to think of the sources of risk across your entire company. That’s why you need to narrow the scope, and instead focus on IT and your impact on the company.

When we start talking about risk, what comes to mind immediately may be security breaches, viruses, and malware. But risk management starts at a much more basic level than that.

Look at the risk associated with the IT applications used across your company. Think in terms of redundancy and resiliency. What keeps business operations running smoothly?

Backup, Disaster Recovery, Business Continuity

You should first concentrate on backup, disaster recovery, and business continuity as it relates to your network, servers, and workstations. How much risk is in your environment in these areas?

Backup is always about Recovery Time Objective (RTO) and Recovery Point Objective (RPO). If you haven’t already defined RTO and RPO for your organization, you should formerly define these. Discussing these metrics with your executive team, along with your recommendations, can help to foster meaningful conversations around this topic.

It’s possible your executive staff has much more ambitious RTO and RPO goals in mind — until you quantify for them in dollars the investment that would be required to reach those goals.

Move Beyond Compliance

The purpose for doing backups is not confined to compliance. If you’re only doing backups to check off a box on a compliance checklist, you’re not doing your organization any favors. After all, the reason behind compliance mandates is to increase the security of a company’s IT infrastructure. In addition to performing the backups, you must also validate them.

Doing backups to protect data is not confined to supporting users when they accidently delete a file. Backup, disaster recovery (DR), and business continuity (BC) go way beyond user issues.

Be Selfish

Assess your organization’s risk from an IT perspective only. Think about what comes across your desk that you control.

This can be difficult, especially if you’re one person supporting 100 users, but it’s up to you to start these conversations. Your executive team has an assumption that you’re doing what you should be doing — keeping the company’s technology secure and operating successfully. Make sure the leadership team understands the deficiencies in the company’s IT infrastructure.

In addition to keeping users happy, you want to foster a positive impression of the IT team.

Quantify Current Risks

There are risks inherent in the design and operation of any IT infrastructure. Is your executive team aware of those risks? It’s up to you to quantify what those risks are. If you don’t, the reputation of you and your team can be adversely affected (even if it’s not your fault).

straight

Consider perception versus reality.

straight

When you tell your CFO that you do backups, he or she may be thinking that if a server fails, you can resume normal operations within a couple hours; but you may realize that it’s closer to two days.

You may be running backups every night, giving people the perception that you can recover data quickly if an outage or security breach occurs. But the reality may be much different.

  • Are you testing your backups on a regular basis?
  • Are you recording those test results?
  • How long does it take to restore an entire server?
  • Is there resiliency built into your systems?

This is where discussions around RTO and RPO are so critical. If you are doing backups but are nowhere near where you need to be from an RTO/RPO perspective, you need to have those tough conversations internally as to what it means to be ‘doing backups.’

Redundant Systems

You need to assess your day-to-day operations to evaluate if your assumptions are in line with the executive team. Protect yourself. It is up to you to determine what investment the company is willing to make to prevent downtime.

For example, if you have one domain controller, and it fails, you need to make sure the executive team understands the ramifications. Until you set up a new domain controller to replace the bad one, no one can log in to the company’s servers, and VPN access is unavailable.

Or, if you’re a law firm with one print server managing all the printers in the office, it may take 12-24 hours before you’d have a new one in place.

Explained in this way, these scenarios may not be acceptable to your management team. Instead, they may decide to invest in redundant systems.

Do Not Make Assumptions

Your assumptions could negatively impact revenue. Do not make these decisions on your own. Instead, you should make recommendations to the executive team on what is a reasonable amount of risk to incur and what that means. Together, you can decide what is a prudent investment to make.

straight

You may be surprised to discover that your leadership team is willing to increase investment in IT once they understand the risks they face.

straight

For example, you may believe that management does not want to incur the costs of having a live standby IT environment available, ready to be spun up from your IT provider. But don’t make those assumptions on your own. A four-day recovery time in the event of catastrophic loss may not be acceptable.

You do not want to find yourself in the hot seat if an outage brings business operations to a halt and everyone is looking to you for a quick solution.

Consider an IT Risk Assessment

It can be overwhelming to consider all the areas within your IT infrastructure that affect business operations. This is where a formal IT risk assessment can be beneficial. A risk assessment by an outside 3rd party can help you to quantify the risks associated with your IT and make recommendations to lessen risk where desired.

An IT risk assessment done by an outside technology firm can provide you with much guidance as to the level of investment you should make and the consequences of that investment, or lack thereof. This internal risk assessment will ensure that you deliver the expected results to the executive team before investing in more hardware, software, or services.

Going through an IT risk assessment brings to light the technology decisions that have been made and deepens everyone’s understanding of the impacts of those decisions.

Gain Support for Your Budget Requests

Undoubtably, you are already painfully aware of some of the weaknesses in your IT infrastructure. There may be areas you haven’t touched to avoid breaking something that is currently working. But it could be one of the things keeping you up at night.

straight

You need to be able to communicate this in business terms to your executive team.

straight

The IT risk assessment can provide you the necessary data to prepare for budget planning. You will have the evidence to support why certain initiatives must be completed, technologies implemented, hardware/software purchased, etc.

Get a Quote Now

Corserva provides IT risk assessments that evaluate your entire IT infrastructure. We work with you to review your existing cybersecurity concerns, discuss previously unknown risks uncovered in our evaluation, and make recommendations where you can make improvements.

Request a quote for an IT risk assessment today.

GET A QUOTE

avatar

Sean McCloat, CISSP

Sean is responsible for Corserva’s network and security operations centers, field services, sales engineering, data center operations, and professional services. He has an intense focus on delivering exceptional customer service across a wide array of client engagements. With 25+ years of national and global experience in the IT industry, Sean has real world experience at the corporate and enterprise levels of healthcare, advertising, and logistics organizations. In addition to his CISSP certification, Sean is a CMMC-AB Registered Practitioner (RP). He leads Corserva’s assessment and compliance team, guiding companies in meeting business objectives with NIST 800-171 and CMMC.