Technology Risk Management

While hackers and ransomware get a lot of attention, other events can be as destructive.  Hackers, ransomware and data breaches are in the world of Cybersecurity.  Our focus includes cybersecurity events but is broader and includes ALL technology related events.  These events are commonly called 'technology glitches' in the news, because there is no simple way to categorize them.

Technology glitches do not involve an outright malicious attack, but maybe a software change didn't work as intended or an infrastructure upgrade that caused a problem.  These events are typically accidents and the unintended consequences of managing a complex technology environment.  Managing these types of events may be in the CISO's office, but may also be part of the Risk function, which has a different focus and reporting hierarchy.  

Technology glitches are as destructive as cybersecurity events and can be catastrophic - with Knight Capital being a prime example.  The following white papers define Technology Risk Management, and begin to quantify the possible financial impact.  


Technology Risk Management - Defined

This white paper is the first in a series that proposes a methodology to proactively manage technology risk based on the economic impact of possible events. The audience for these white papers are risk professionals - Chief Risk Officers, Information Risk Officers, Operational Risk professionals - and others interested in managing information technology based on risk, or the possible economic impact of outages, data breaches and similar events.

Given the focus of this white paper is ‘Information Technology Risk Management’, it is important to distinguish Technology Risk Management from IT Audit, Incident Management, Information Security and IT Compliance, since the terms are often used interchangeably. It's also important because new terms are being coined to describe these activities, specifically the term 'Cyber Security'.

Access the full whitepaper.


Technology Risk Management: Scope and Scale

As explained in the first white paper in this series, the primary function of Cyber Security is to defend against active threats and attacks to the organization's technology services, including preventing the theft of intellectual property or client data, ensuring services are available, etc. The perpetrators in these attacks can be malicious insiders, outside attackers including hackers, nation states and a variety of other players. Just like it's peer department in the real world - physical security - Cyber Security is typically focused on malicious activity that could impact high value assets and the day to day operations of the firm. Of course, Cyber Security may also be proactive and try to prevent attacks. For example, some Cyber Security departments use behavioral analysis to look for anomalous activities before there is an actual attack. However, Cyber Security’s primary focus is very clear: protect high value technology assets from actual or suspected malicious activity.

Access the full whitepaper.


Technology Risk Management: Determining Inherent Value

As explained in an earlier white paper, proper management of technology related risks has to include all services that touch technology assets (the scope of technology  risk management) and be able to show business impact in economic terms (to indicate the possible scale of impact).  An extension of the discussion around impact and scale is how to determine the economic impact of a possible event. This white paper proposes the economic value of any IT related event is directly related to the economic value of the business services the IT asset or service supports. The greater the economic impact of an outage or other technology event, the higher the ‘risk’ of that IT asset. That economic value is not based on the price paid for the IT asset, but the value of the business services they support: the more valuable a business service, the controls and oversight may be necessary. Higher ‘risk’ technology assets or services may warrant more focus and possibly more controls than lower ‘risk’ assets. Given there is only so much time and money to protect a firm’s technology environment, prioritizing focus and controls on the firm’s most valuable assets is logical. Business value is the only way to assess the dollar impact of a server having an outage or other issues. It is also the best way to show scale of an outage or data beach; showing impact in economic terms inherently includes scale.

Access the full whitepaper.