Risky Technology Management (Part 2)
by Scott Lewis
Part 2 of 3
Another common mistake that companies often make is creating a risk register. The risk register is that list of risks you and your team created in order to identify every potential risk that might ever show up. The problem with the risk register is that most companies don’t know when to stop and often the list contains things that, yes, in the strange new world could happen. However, the likelihood that many of these items would actually happen is so slim that they are simply not realistic objectives to account for in your risk mitigation plan and it would not be cost-effective to implement countermeasures to prevent them.
I am in favor of companies developing risk registers; however, they have to be developed to a level of common sense, with realistic research to measure the risk and the cost-to-reward ratio used to determine whether the countermeasures to prevent measure up. Bottom line: Yes, develop a risk register, keep it objective and realistic, and determine whether it is sustainable and measurable to the overall cost and risk to your organization.
Technology risks are often broken down into two models: controllable risks and uncertain risks. Controllable risks are those known risks that have to be accounted for, such as viruses; malware; stolen data, both internal and external; and web surfing risks, just to name a few of the common ones.
Then there are the uncertain risks, which are those issues that give you little to no time to respond. They typically happen without notice and typically require quick troubleshooting to identify and resolve. Uncertain risks are typically known on a high level but are difficult to plan for and at times expensive to implement and often considered by upper management to be acceptable risks until that uncertain event happens and the company is in reactive mode to a preventable situation.
Technology, unlike many other professions, is an intellectual property career. This contributes to one unknown risk: As technology professionals learn more and their skill sets improve, they tend to move on to what they perceive are greener pastures. It is not unusual for technology people to move around a lot throughout their careers. Unfortunately, when IT personnel move on, the intellectual property moves with them, so stopping or limiting the brain drain is a risk that needs to be addressed through proper documentation.
You should also know whom you partner with and why, but keep in mind when you pick a partner that you are hiring a company, not an individual. I always warn our customers: Don’t fall in love with the technician; fall in love with the company and the resources that come with the company. It will make for a much better and smoother relationship. However, the uncertain risk with outsourced companies is that most are very small, typically fewer than seven employees, including the owners, so you have to ensure that they can bring the best resources to the table to help manage your business when you need it.
Controllable and uncertain risks should be part of your risk register. With a little common sense applied, my examples were meant to simply start the thinking process to understand what controllable and uncertain risks are and how they apply to your business.
Another common mistake is the lack of risk intelligence, which basically means watching for changes and conditions within your company, network, or systems that would indicate a potential risk or breakdown of security processes. One example of this is a change in staffing within your technology department or a department that handles sensitive data like research and development. Another example of intelligence risk might involve who is reviewing system logs, firewall intrusion detection systems and user activity logs. Is this routine technology activity happening, or are you simply waiting for an event that creates a security issue and then going back to try to figure it out?
Typically what we find is that companies have the resources already – software, automated monitoring tools and system tools that are designed to assist and automate this routine activity. However, most have not implemented the tools or don’t check them on a routine basis or simply have a lack of corporate policies and procedures and enforcement to support the implementation of security rules and regulations within the organization.
I recently had a discussion with a client whom we were working with to evaluate risk on the corporate level. Our discussion was based around investigating the needs to add cyber insurance and update the overall corporate security model concerning end user management, telecommunications and Internet usage and monitoring in order to keep up with the new age of technology and social media risks. This discussion was outlined with a goal of re-evaluating our current strategy with the purpose of upgrading and updating our future security and risk mitigation strategies.
As the conversation progressed, it became clear to me that the client really didn’t understand the world of technology and the multilayered manner in which technology companies such as software companies, hardware vendors and cloud-based providers are structured in order to isolate and use risk transference to protect themselves. The technology industry in general has become very fragmented, and the risks are distributed so that it could be very hard to manage all the different risk elements from a customer’s perspective in order to assign liability.
Let’s take a deeper dive starting with cyber insurance, which is basically designed to protect your company in the event that you have a cyber breach that results in data loss, system damage, notification expense, content liability and some regulatory investigative expenses. Don’t make the mistake of assuming that your vendor’s cyber insurance policy is going to cover you. In most cases it will not.
Cyber insurance is basically a risk transference policy; however, it doesn’t typically cover your client losses or cover vendors and suppliers if the breach happens upstream of your business. Vendors and suppliers would typically be covered by their own cyber insurance policies or liability insurance that covers error and omissions within their business practices. Cyber insurance policies can be designed to cover just about anything with the understanding that they come with a price. However, in our experience, the best strategy might be to cover yourself, let your vendors cover themselves and then, if necessary, go through the process of liability and error and omissions coverage to handle the rest.
Read Part 3 next month.
Scott Lewis is the president and CEO of Winning Technologies Group of Companies, which specializes in the selection, implementation, management and support of technology resources. Scott has more than 30 years of experience in the technology industry and is a nationally recognized speaker on technology subjects such as collocation, security, CIO-level management, data and voice communications, and best practices related to the management of technology resources. For more information, visit www.winningtech.com or call 877-379-8279.