Sep 3, 2014
IT security and risk management is a vital part of running a successful company in today's modern business environment.
There is a long list of cyber and physical threats facing organizations, with malicious online activity, natural disasters and power outages just some of the incidents that could cause vital systems to shut down.
This is why many companies invest in solutions such as the latest antivirus software, sophisticated standby databases and extensive disaster recovery plans as protection.
Maintaining comprehensive business continuity practices ensures 24/7 operational capacity, minimal revenue losses and stakeholder confidence.
However, according to Gartner, securing executive buy-in for IT security and risk management systems can be a challenge. Many technology departments claim they struggle to communicate current dangers effectively to colleagues who do not have IT expertise.
Vice-President and Distinguished Analyst at Gartner Paul Proctor said there is a significant pace of change within the digital realm, which is creating significant conflict at many businesses.
He said organizations have two competing sides: business executives who want to drive innovation and senior IT professionals who wish to rein in risk.
Previous Gartner figures have shown that security solutions, including data loss prevention systems, will experience significant growth this year. The market is expected to climb 7.9 per cent in 2014 to US$71.1 billion.
Clearly, a rising number of enterprises are considering how to best prepare for the potential problems caused by doing business in an increasingly digital world.
So how can IT executives communicate the benefits of risk and security measures? Gartner has outlined a number of tips that should help businesses harmonize their departments.
1. Formalize programs
Businesses are advised to formalize their risk and security schemes, making them repeatable and measurable. As such, a program must go through four key phases during implementation: govern, plan, build and run.
2. Measure maturity
Gartner recommended measuring the maturity of risk and security programs to ensure any knowledge and effectiveness gaps are identified and overcome.
3. Understand KPIs and KRIs
It is important for organizations to set new measures for business success that incorporate both key risk indicators (KRIs) and key performance indicators (KPIs).
Gartner warned against focusing only on IT-specific KPIs, as this suggests that IT risks are solely isolated to that department, when they are typically company-wide issues.
4. Utilize risk-based methods
Companies should make a concerted effort to manage risk proactively, which includes a conscious decision on what they are willing to do to mitigate risk.
"Stakeholders in non-IT parts of the business must make these decisions, not leave it up to IT professionals alone," Gartner said.
5. Align risk and corporate objectives
A key way of gaining executive support for risk and security solutions is to avoid using fear, doubt and uncertainty as reasons to invest.
The business department will want to know the benefits of such systems, so demonstrating specific commercial value is more likely to succeed.
6. Stay away from operational metrics
IT specialists should steer clear of operational metrics when describing risk initiatives, as many business executives will not have a background in this area.
7. Clear communication
Core questions that senior leaders will want answered include 'what are the risks?' and 'what can we do about them?' Gartner said any IT team that can provide comprehensive replies will have a good chance of success.
"Executive decision-makers want to know the business is adequately protected against risk, but need to weigh the risks of yesterday and today against the opportunities of tomorrow," the organization added.