Risky Technology Management (Part 1 of 3)
by Scott Lewis
Part 1 of 3
Technology risk management is often an interesting topic of discussion with customers. Most commonly, there is confusion regarding the many different types of security and risk management in conjunction with liability and responsibility for overall risk mitigation to their business. Many times customers do not understand the differences between business risk management and mitigation in comparison to technology based security risk management. As a general rule people often want to combine the two and in the process have not fully managed the expectations for either. Another misconception is that just because someone is an expert on business risk management that they are by default an expert in technology security risk management. In my experience, these are two distinct skills that are not often found in a single resource. The technology industry defines security risk management in general as “the implementation of the business decisions regarding risk mitigation and to provide a support system for the business to achieve a higher level of security and risk awareness.”
Throughout this article we will discuss the differences between risk management, technology security risk management, outsourcing risks, and cloud risks. We will also cover controllable risks and uncertain risks along with operational and transaction risk. I will be pointing-out mistakes or commonly overlooked items in a security strategy along with giving you some real life examples from my own experience. Risk is something that has to be managed on an ongoing basis, there is no such thing as fully secured and the human factor is going to ensure that managing risk is an ongoing challenge. We live in a world where data is for sale and your systems access is an opportunity for some. How we manage risk and how we approach our overall strategies concerning risk is something we simply can’t overlook any longer.
When discussing risk with a client, we often have the discussion around the perception of outsourcing. It’s assumed that by outsourcing to an IT managed services company or moving your servers and infrastructure to the cloud, then, by default, it will in some manner reduce the overall risk to your organization. In some cases this may be true based on the ability of your in-house staff to understand and mitigate the continued technology risks associated with either of these strategies. To mitigate technology risks the development of an overall IT strategy is a critical step with risk mitigation as a part of that strategy. As an example from a corporate perspective, could include the purchase of cyber insurance. If you are outsourcing or using cloud based systems or applications you should have the expectation that your outsourced provider has also implemented security and risk mitigation processes that coincide with your overall strategy.
An important topic in today’s world when discussing technology risk and security mitigation is the understanding that you may now have the potential of three, four or five layers of outsourced partners and risk due to the popularity of cloud based systems and hosted applications. An example of this multi-layered partnership would be if you are hosting your primary systems in-house or in the cloud, you may also have your project management or time collection systems hosted by other vendors, creating a multi-layered security and integrated risk management process that must be managed. The baseline risk awareness when you have a multi-layered process is that each one of these systems could be transferring data back and forth or integrated with one another in some manner. This could create security holes that can be exploited. The exploitation of these security holes could come in the form of a full-blown hacker breach or as simple as a virus, malware or ransomware infestation. In the case of outsourced managed services or utilizing cloud based systems, don’t confuse risk management and mitigation solely based on the fact that you have now outsourced, which in turn transfers your risk to the vendor, you would be mistaken. Consider risk transference as part of your strategy, including liability, error and omission processes, but, remember to cover yourself. In most cases insurance does not reach through to protect vendors or you from vendor mistakes.
A common mistake companies make during the development of a security management process or risk mitigation process is simply starting over from scratch. People often feel that the only way to improve is to assume that nothing you are doing is working and throwing it all out and starting over. This often does not yield the expected outcome but, could give you a false sense of security which results in lower perception of the risk awareness factor actually raising the risk level of some kind of breach. The full replacement strategy which could be very temping can become an expensive strategy in the process. One of the biggest reasons not to start over is technology tunnel vision. Technology experts have many different views on security awareness and protection, most of them are similar in nature with a different package or terminology used to convince businesses that their view is new and improved. Often these strategies yield no level of improvement, but contain the same shortcomings, so before you throw out everything you have been doing make sure that there is some manner to measure the current strategy in comparison to the new. Our approach has been to use published standards to evaluate the existing security measures, implement improvements on top of those, as well as identifying areas that may have been overlooked then implement new strategies to deal with those specific shortcomings. We have found that not only do we achieve a higher level of protection it is also more cost effective and sustainable for a longer period of time.
Operational and transactional risk is an area that often does not get the attention that it is deserved or required. Simply put, operational risk is the workflow processes of how data and information flows through your business. Where it is stored, who has access to it and what processes are needed to transitionally use, access and manipulate that data. In order to have an effective security awareness program, it is important to understand how data is created within your organization, such as field or mobile users, customer access portals and suppliers and vendors. Then, you have to understand how that data flows through your business utilizing the software applications you have implemented to manage the data as it is collected. Transaction risk is the understanding within that workflow, of different risks that you are exposed to and how to mitigate those risks to the proper levels. This is basically an understanding of what could go wrong, such as multi-layered vendors and suppliers; what could go wrong? What are the risks associated with outside integration processes? Transactional risks are often not understood and often overlooked due to the complexity of dealing with them, most are simply too focused on the benefits of securing the operational aspects of which there are many, but it could be a risky technology strategy to ignore transactional risks.
Read part two next month in the Small Business Monthly.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies. The Winning Technologies specializes in the selection, implementation, management and support of technology resources. Scott has more than 30 years of experience in the technology industry, having worked with more than 1000 companies on technology initiatives and strategies. Scott is a nationally recognized speaker on technology subjects such as Cloud based computing, software, Security, CIO level Management, Data and Voice Communications and Best Practices related to the management of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.