The onslaught on global corporate security remains relentless - each day companies face new external and internal challenges, and each day they are plagued by the one thing that is not endless: money.
This is probably one of the greatest issues faced by solution providers and CIOs today: enabling companies to fight these security onslaughts with increasingly limited funds.
A good example is risk management, which, despite its ability to mitigate risk and ultimately drive down costs, is still met with considerable scepticism. And although there`s no quick solution, taking a few steps back might change a few perceptions out there.
For example, maybe risk management sellers are going about it the wrong way - selling a comprehensive solution while adding, as an aside, that it will probably cost hundreds of thousands of rand to implement.
Also, by telling decision-makers what to do, they may not feel as if anyone is actually helping them to solve the problem. The best course of action is to play an advisory role through defining and analysing the company`s current risk management posture, then making some well researched recommendations.
This would undoubtedly enable everyone involved to truly understand why they need to implement a risk management solution and would in all likelihood justify the resultant costs.
Defining moments
Although there`s no quick solution, taking a few steps back might change a few perceptions out there.
Danny Ilic, business technologist, Computer Associates Africa.
Defining risk management begins with an inventory of a company`s vulnerabilities, and although this is by no means an easy task, as most IT infrastructures were built in an ad hoc manner, it needs to be done.
However, a good place to start is to think of risk management in five pieces: disaster recovery, business continuity, confidentiality, accountability and data integrity. Defining these elements puts things into perspective.
Business and regulatory requirements should then be translated into technology decisions. A simple approach would be to spell out six key elements: content security, host`s security, application security, identity management, network security and security information management.
Once the vulnerabilities are identified, put it all on the table and ask: "What are you going to do about it?" Don`t immediately suggest the solution but rather ensure that everybody understands there is a problem. And only when they ask to see their options, lay out the solution.
Tabling a solution
A safe and relatively comprehensible way of tabling a solution would be to create a tier of service levels - spelling out how each service level addresses the risk and what it will cost. This will also confirm that each solution is directly linked to corporate policy.
Then hope for the best.
At the end of the day there can only be three answers: the company can accept, assign or mitigate the risk. Alternatively, if it chooses to do nothing and accepts the risk involved, so be it - the consequences will be far-reaching to say the least.
Negotiating risk management undoubtedly takes some finesse, as the costs involved are not minimal. The ability to adequately translate the realities is, therefore, critical. Making a company understand that risk management is not an option but a necessity will ultimately be the deal-breaker.
* Danny Ilic is business technologist at Computer Associates Africa.
Share