No place to hide from failure to manage IT risks
Are IT professionals with organisational and broader societal responsibilities doing enough to back up the need to manage risk?
That’s the question from Alan Rodger, analyst from Ovum, who says that the world around us is ever more complex and connected at almost every level, and as result IT’s responsibilities are strongly in the spotlight.
Rodger says that in many areas of IT, the obvious potential or actual impact of risk has brought about better focus on the important issues. “For example, cyber-security now has ubiquitous board-level attention, and has brought realignment to the IT security sector,” he says.
“In addition, business continuity is more often addressed at a high level, having matured from relying on ‘hot’ technology swaps. Project risks are also usually better recognised and managed, and the scale of historical disasters more often avoided.”
However, Rodger says there are numerous areas in which there is much more that should be done within many organisations: • Supply-chain risk associated with as-a-service delivery (especially where individuals are allowed to adopt software usage via shadow IT). • Security being built into all levels of software, and being visible, within development and other software lifecycle processes. • Failure to treat as strategic the use of services such payments systems, which Ovum research has identified may be chosen over integration capabilities as a result of developer choice, rather than an analysis of process-level issues and due diligence. • Lack of an architectural approach to IT-related change, which can lead to failure to address risks early and can drive up the resulting cost.
Rodger says IT is so central to business operations and processes that risk management in IT is a critical enterprise capability. “IT managers must honestly evaluate weaknesses in their approach to managing risk, across all their capabilities and services (home-grown and bought-in), and must focus attention and investment to make improvements first in areas that could allow any substantial damage,” he explains.
“Unless this is done, the prospect of damage avoidance, and of success in maximising the organisation’s benefit from technology opportunities (particularly those upcoming, such as the Internet of Things), is likely to be substantially reduced.”
The reward of IT’s high profile is a place in the spotlight, but where light shines things can be seen better, Rodgers says. “Risk is also much higher profile than ever before, and there will be no place to hide if anti-risk measures that should be taken in the IT domain are left until unfortunate headlines are made and an inquest is being held.”