Risk in IT

The October 2009 issue of Harvard Business Review has a great article on risk that needs to be shared and read inside IT.   We tend to look to the past to predict the future and as this article points out, that is a weak and ineffective position to take.   We can’t really predict a 9/11 or a Katrina event very well.    We think about standard deviations of impact, but a 9/11 event is far outside the expectation that might have been planned in advance.

Instead, we have to focus on being resilient organizations and have resilient processes and infrastructure.  I read a book years ago about Managing The Unexpected which was quite good.   It talks about managing risk on the deck of an aircraft carrier or in the control room of a nuclear reactor.   Few of us have to manage those levels of risk and complexity, and lessons from those arenas might help us think differently.

I tell people that there are two areas that are always going to be worry areas for CIO and those are security and business continuity planning.   We try to prepare the enterprise against all possible risks in those areas and as this article discusses, we can’t find all those risks.   We can’t predict all the ‘black swans’.    Instead, we have to figure out how to be resilent.   We have to 1) make prudent investments up front, 2) practice what we can, 3) learn from others and then 4) focus on being nimble, fast and clear in our communications.

In the case of security and business continuity planning, we have to understand that  ‘we don’t know what we don’t know.’   We can’t just look internally at our experiences and what we think.  We must participate in the trade shows and conferences, listen to experiences of others and seek out input from a diverse set of sources.

6 thoughts on “Risk in IT”

  1. Interesting blog post Mark!
    May I ask your assistance?
    I am hoping you value assisting people as much as I do.
    Can you refer any former associate or technical representative that took part in the implementation of the Sterling Commerce product at Seagate?

    We have an immediate need for such a professional at Life Technologies in Carlsbad, CA.

    Thank you Mark!
    Richard Osborne
    949 322 2450

  2. Mark
    Nice post!
    As an IT guy working in security the past 8 years I would add the following insight to what you wrote.

    IT management is about planning and executing predictable business processes. Security is about planning for the the unpredictable.

    What does this mean?
    First of all it means that there is often a cultural schism between IT/CIO and Security/CSO because of this fundamental dissonance. In many organizations this dissonance is amplified by two additional factors – a) splitting of physical and information security into two separate operations silos and b) external regulatory compliance. Compliance as it pertains to security, finance and IT is often conveniently boxed into politically safe silos. OP (organizational politics) is not a bad thing, but multiple risk silos results in multiple and usually redundant costs. In addition, compliance regulation results in the management board adopting policies that are not organically their own – which is dangerous in its own right.

    The short answer to these issues is that security needs to built into the business strategy and business process itself.

    Danny Lieberman

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s