As the business community begins to investigate opportunities to introduce new technology devices in their business, questions are starting to arise about their ability to manage the inherent risk involved in doing so.
From iPhones to virtual desktops, the changes in the way IT services are delivered and managed has resulted in big changes in the way people interact with and exploit technology, as business leaders, as consumers, and as users.
As high-risk activities increasingly occur beyond the boundaries where traditional control environments operate, these changes will tear up the rule book in the way successful enterprises think about and govern risks. Compliance with ISO27001, ITIL or adherence to Cobit standards within the IT function may no longer alone be sufficient to govern risks over IT services, if they ever were.
Here are some questions IT leaders should be asking themselves as they consider their risks:
• Companies have responded to the need to hold and manage rapidly increasing volumes of data by outsourcing data management to third parties. Yet how much control is being exercised over data handling being performed by these third parties, and even where these vendors are accredited (eg, via ISO27001), how much understanding is there over what assurance this accreditation does and does not provide?
• As companies engage in more and more joint ventures and partnerships, the need to share and disseminate commercially sensitive data is also increasing. Yet as many organisations currently fail to identify and manage their own sensitive data appropriately, how will they expect their partners to do so?
• People's interaction with technology while outside work is an area not often considered on risk registers. For example, the risk of staff sharing personal and potentially sensitive company information via social networking sites such as Facebook. This may include information which can be used to compromise security on users' corporate network accounts (for example, date of birth, spouse name, house number, families' dates of birth). What is being done to manage security breaches which start outside the workplace?
• Huge volumes of data ranging from customer purchasing habits, to transaction tracking logs have been building up within corporate systems for years, but over the next decade we are going to see an explosion both the ability and the opportunities for enterprises to exploit this data. What has previously been a differentiator will become a prerequisite for survival. Data quality may become as important as product quality in determining which of today's enterprises are still here in 2020. Is the failure to adequately exploit commercial data being treated seriously enough as a risk?
The counterpoint of risk is opportunity and IT functions which can effectively manage their risks will enable their businesses to radically outperform those companies which are put off by or simply not up to the challenge. Companies where IT feels empowered to influence commercial decision-making by demonstrating how business enablement can be driven by effective management of technology risks, will prosper greatly at the expense of those companies where ignorance or fear of new or changing technology risk areas either prevents them from moving into new areas, or results in failures when they attempt to. This is the time for IT leaders to step up and put themselves and their function at the centre of driving their business forward.
Fraser Nicol is an IT Risk professional working within Ernst & Young's IT Advisory Practice
This was first published in May 2010