Want to know the one thing in IT that can help your career and your business arguably more than anything else? It's simple: Think about risk in every decision you make.
Executives, lawyers and all decision makers think about risk on a daily basis. If you want to be respected in IT and effect change in your business, you need to do the same.
It's okay to ask the tough questions. Just don't proclaim the sky is falling all the time.
It's important to understand the concept of information risk. I know it seems obvious, but I'm convinced that many people in IT are so caught up in the bits and bytes that they don't truly understand the basis of risk management in IT.
Information risk is defined as the likelihood that disruption, damage or loss would occur if a threat exploits a vulnerability. That's it; it's that simple. Now you just need to translate that into IT decisions that affect the business.
Making it a daily habit
Start thinking about issues you deal with on a daily basis with risk in mind. Some common IT situations might include:
- Procuring new hardware and associated maintenance contracts.
- Deploying commercial software and the implications it has for business processes, the storage of sensitive information and so on.
- Interacting with developers, especially those who are outsourced and/or offshore who may not have the proper buy-in.
- Bringing contractors, auditors and consultants into your building.
- Outsourcing applications, storage and the like to the cloud.
- Provisioning, re-provisioning or de-provisioning of user accounts.
- Standardizing on mobile device platforms and the new realities they're bringing to the enterprise (that, no doubt, executives and users alike are ignoring).
- Handling intellectual property (the keys to the kingdom that are often overlooked because everyone's too busy dealing with personally identifiable information).
Consider risk in these tasks. Ask yourself and others how much risk is our business willing to accept, divert or ignore?
Information risk management in IT: Now or later?
With risk management in IT, you have choices. You can choose to help minimize risks before they become ingrained, or you can wait and address things on the flip side -- after unnecessary information risks become the norm. Avoid the issues when you can by speaking up when decisions are first being made.
Be careful, though, with how you present this heightened awareness of information risk management. You don't want to take this daily habit too far and become the annoying, paranoid voice in IT everyone avoids.
You have to be smart about balancing information risk with usability and convenience. It's okay to ask the tough questions. Just don't proclaim the sky is falling all the time.
If you think about the long-term impact of your choices in and around IT risk management, you'll build trustworthiness and credibility -- two of the most valuable traits an IT professional can possess. Ultimately, the business benefits, and everyone wins.
About the author: Kevin Beaver is an information security consultant, expert witness, author and professional speaker with Atlanta-based Principle Logic, LLC. With over 22 years of experience in the industry, Kevin specializes in performing independent security assessments revolving around minimizing information risks. He has authored or co-authored nine books on information security, including the best-selling Hacking for Dummies. In addition, he's the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Follow him on Twitter at @kevinbeaver.
This was first published in October 2012