by Ben Tomhave | January 8, 2014 | Comments Off on 3 Things I Think I Know About “Cyber” Risk
First, a note: when I say “cyber risk” here, I’m doing so knowing it’s a somewhat equivocal term. I’m using it generically to be inclusive of IT risk, information risk, technical risk, and anything else along these lines that would roll-up under operational risk. More could be said, but I’ll save it for another time…
1) If your “cyber risk” program doesn’t align with existing business risk management (ERM) practices, then you’re doing it wrong.
2) If your business risk management (ERM) practices aren’t accounting for “cyber risk” as part of your overall operational risk exposure, then you’re doing it wrong.
3) If you’re reinventing the wheel in a vacuum or playing “he said / she said” or in any other way not acting accountably and defensibly, then you’re doing it wrong.
We live in a world of digital business that suffers from ongoing internal fragmentation between business and technology, egged on by an ill-conceived enablement culture that grew out of a well-intentioned, but poor behaving, desire to specialize and optimize. The reality is that we have technologists who are so disconnected from business reality that decisions are made in a vacuum inside a vacuum. Many IT or security people seem to think they have to “invent” risk management, risk assessment or risk analysis practices for their space, when the fact is that any successful business will already have some semblance of these practices defined at the business level.
It’s time for everyone to come together and get on the same page. In many ways, this is why I’m such a fan of the DevOps movement (which you can leverage even if you’re not doing a bunch of custom development work). In a DevOps world, you can’t help but all be on the same page, since, by definition, you start from being on the same page. 😉
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.