How can companies establish successful IT risk management? What steps do they need to take into account? After talking to Hanno Schaz, Head of Security Operation Center and Incident Response at DGC, in the first part of our interview on the topic of IT risk management about necessary measures for protection as well as current IT risks, this time we’re talking about implementing the mentioned topics into your own IT organization:
From human error to outdated IT components to security vulnerabilities in the digital ecosystem, we recently talked about the biggest IT risks and the resulting need for organizations to pursue risk management. Today, we’ll focus on how to make it happen.
How can a risk management process be successfully established within your own organization?
With risk management in the IT sector, companies pursue the goal of obtaining comprehensive transparency about their own current technological status in order to be able to counteract risks in an agile manner. For a successful introduction, there are essentially five steps to consider: First, the underlying strategy must be defined as part of the corporate strategy. This must be supplemented by a commitment of the company’s management regarding this topic – oftentimes, in form of a guideline about which all employees are informed. The next step is to set up the necessary organization to implement the strategy – this includes, for example, naming responsibilities and areas of activity. It is also necessary to define a field of application: The company must become aware of which areas risk management should cover. This can prove to be a major issue, especially for company groups, because business units cannot always be clearly separated from one another or there are also separate local responsibilities for IT operations or risk management. Last but not least, policies and procedures must be created and established – such as the emergency manual, emergency concepts and risk management procedures, but also procedures for business impact analyses or asset management for recording the assets to be protected.
Once these steps have been completed, the whole topic has to be transferred to operations and kept running – IT risk management means not only initial effort, but also continuous maintenance. However, with cost-efficient risk management, the effort involved is out of all proportion to the enormous costs that can arise in the event of damage. Persons in charge should, therefore, always weigh up possible threats and vulnerabilities, their probability of occurrence and costs of countermeasures. Not every measure makes sense but must be seen in relation to the risk or possible damage.
What types of risk analyses can be helpful for setting up an IT risk management process?
Business impact analyses have proven to be particularly helpful: They allow critical information assets – such as documents, computers or applications in use – to be examined in detail and evaluated with regard to various emergency scenarios. The impact can be subdivided into various categories in order to quantify the potential damage more precisely and to differentiate risks – for example, with regard to financial consequences, reputational damage and consequences for employees. Process analysis – i.e., the assignment of endangered assets to a business process – helps in assessing the extent of potential damage in each case. In sales, for example, an indicative value can be defined for the hourly costs that would be incurred if a digital sales tool were to fail.
Business impact analyses therefore make a major contribution to making something intangible such as a risk tangible. This enables managers to make fact-based decisions about which security measures are appropriate – and which are not.
Are there other methods that can assist in assessing potential IT risks?
There is a whole range of other analysis methods that provide essential information for the design of risk management. Professional penetration tests, for example, are suitable for assessing potential risks. These simulated hacker attacks test IT infrastructures and reveal real points of attack that could be exploited by cybercriminals. Persons in charge are shown how far the pentester has penetrated the systems and what damage it could have caused.
A vulnerability analysis executed by our IT security tool cyberscan.io also proves to be helpful, which enables a comprehensive vulnerability view of the IT systems in just a few steps and makes the associated risks visible. But a capacity analysis can also provide a good data basis for assessing risks such as hard disk bottlenecks and memory overloads and developing appropriate countermeasures. In addition to risks in the area of IT administration, elementary hazards such as water, storm, lightning and fire should be included in risk management. These environmental impacts can also cause failures in the IT landscape if, for example, several cooling towers in the data center fail due to fire or heat.
The applied analyses can therefore be very versatile and should always be selected depending on the specifics of the respective company and the threat situation. For a transparent overview of the current security situation, it proves to be purposeful to work together with a professional service provider such as DGC. With powerful security tools and expertise, a comprehensive scan of the IT organization is made possible, and fundamental data for risk assessment and optimization is provided.
Want to make your company’s current IT risks visible and measurable? Contact us now – we look forward to your inquiry and will be happy to advise you on IT security issues.
What role do training courses and practical exercises play in establishing successful risk management processes in the company?
Regular trainings, as well as exercises, play a crucial role in implementation and are a cornerstone of emergency management. Employees who have, for example, discussed a procedure for dealing with a ransomware attack in a communication exercise, deepened a planning exercise or even tested it in a coordination exercise in a controlled environment are prepared for an emergency. They are more likely to act in a level-headed and coordinated manner. For example, the time it takes for the crisis team to become operational and meet on a communication platform should also be measured. The scenario provides the framework for this – in the event of a ransomware attack, one of the challenges is that familiar communication platforms are no longer available. This provides important insights for optimizing the emergency concepts that are being developed.
The whole issue can be extended: In an emergency exercise, the disaster recovery processes are also put to the test in reality. An entire site is shut down in a controlled manner and put back into operation. The used recovery plans and the determined times for the restart make it possible to define risks precisely and plan suitable measures. Well-trained employees are the basis for such exercises. Therefore, this implies high demands on a company’s internal education and training programs.
In order to protect confidential company information, assign usage rights securely and in line with requirements, and secure communication channels, employees need user knowledge adapted to their function. Especially in the onboarding process, user training is essential to convey the basics as well as background and regulations on information security.
How important is cyber insurance for risk management in IT?
Various methods can be used to deal with risks. Risk minimization aims to reduce probabilities of occurrence or the impact of risks to an acceptable level. Risk outsourcing can mean that operational or business processes are outsourced to other forms of enterprise. In the context of IT operations, this can be outsourcing a service to an external service provider. Another method of dealing with risks is risk prevention in the form of cyber insurance. In the event of an emergency, this enables the financial impact of the damage that has occurred to be reduced and additional costs incurred to be absorbed by emergency management.
If all risk management methods have been exhausted, risk acceptance remains in the end. This should only be chosen as a last option and should be considered in a differentiated manner and should be well documented.
Thank you very much for the interesting discussion.
Read also our first article on the topic of IT risk management!