Here’s a pop quiz for you: should you spend your time focusing on the newest threat on the horizon, or on the nagging risks that never seem to leave? If you said newest threat, you’re wrong. If you said nagging risks, you’re also wrong. This article by Russell A. Jackson explains why IT has to focus on both emerging technology threats as well as previous risks that never go away.
While technology has allowed customers to interact with companies like never before (have you ever stepped foot in an Amazon retail store?), it’s also opened up those companies to profound threats that were otherwise impossible before technology became so prevalent. Jackson cites two types of threats: those threats to an organizations IT infrastructure and those that are threats to its operations due to new advances in technology. These threats are beginning to blend in some cases (such as in cloud computing, which includes both types), and in mobile computing:
Mobile computing causes sleepless nights, as well. The use of personal tablets and smartphones represents a major risk, Ricardo Rodriguez, director of internal audit at NRG Energy Inc. in Princeton, N.J., points out. “Part of the problem is the difficulty companies have in ensuring that employees adequately protect confidential and sensitive information,” he says. “No matter how many controls you have in place that enable people to use personal devices with safeguards, you need employee commitment to ensure they are effective. Unfortunately, there is no IT application or software that can enforce human behavior.” Other worries internal auditors cite include successfully and securely implementing virtualization, Web-based security, and unified communications technologies, because each can boost productivity and introduce new threats to the production environment.
But Jackson doesn’t just use fear in this article ““ he also explains that internal auditors can address IT risks in the same way that they address most other risks within the organization. While they aren’t exactly the same, the methods of identifying and communicating IT risks can be the same as any other. The important decision come when deciding to keep IT audits integrated with other audits, or to separate them out for special consideration. Deciding involves identifying what would benefit the IT organization and the business more, and shaping the auditing process around that discovery.