Let’s see what to put in the perfect storm of risky IT developments: increasing complexity, decreased budgets, BYOD culture and, let’s see”¦yes, how about some new tech like the cloud. What comes out? A great opportunity for bad things, and that’s just where IT finds itself these days: between new technologies and lessening control, IT no longer can use old models of risk management simply won’t keep organizations from being exposed to outside threats like before.
A few new, effective ways to manage these risks are presented in this article by Kevin Cunningham. Cunningham begins by explaining how risk management has to be embraced by the whole organization, not just IT:
This requires a formal categorization of risks in order to understand potential threats and vulnerabilities, and to implement the appropriate set of controls to balance the business’ need for convenience, usability, and availability with the need for security measures that mitigate risk. This includes implementing the necessary controls to eliminate specific risks such as workers who hold access privileges they don’t need, terminated workers whose access privileges are not removed, or toxic combinations of access privileges that increase the potential for fraud, etc.
The article then goes on, explaining that the organization must have “identity intelligence” tools that allow the business to see what access each employee has, how they are using it, and any potentially risky actions taken by them. The last tip Cunningham lists is open collaboration between IT and business. After all, it’s going to take working between both groups to align IT’s operational policies to the business and implement the processes for identifying what resources have access to what systems.