The underpinnings for a formidable IT security defense

IT risks are the vulnerabilities and threats that arise from within the IT infrastructure that can negatively impact a business. The negative impact could be a monetary loss, compromise of customer data, halt in operations, compliance violations, or even a hit on brand reputation and goodwill.

Formally, the IT risks can be categorized into four aspects.

i) Security, such as unauthorized access of business-critical data.

ii) Availability, such as an outage of a key infrastructure component.

iii) Performance, such as poor network speeds leading to loss of productivity.

iv) Compliance, such as adhering to GDPR laws or incurring heavy penalties from failing to do so.

An IT risk under each of these categories occurs from three components.

An asset is considered any IT resource with valuable information. It could be a business-critical server or a person or a team managing the critical server. Any considerable value-adding component in the IT supply chain is considered an asset.

Vulnerabilities and threats are two sides of the same coin. A vulnerability can be an organization process gap, an oversight in asset design, bugs in the software code, or a lack of knowledge among employees. In the end, vulnerabilities are weak points in an organization that can be exploited to cause damage.

Threats are the potential for malicious agents to exploit a known or an unknown vulnerability. The threats can be internal, disgruntled employees disrupting the business or an external hacker injecting a malicious agent into the supply chain.

So an IT risk is a combination of the probability of a threat and the potential impact of the vulnerability for the number of assets involved for that specific vulnerability.

While IT risk calculation seems like a data-backed quantitative value, in practice, organizations often use qualitative ratings. Often times, it is impossible to fix a tangible value or a probability for IT risks specific to an asset, threat, or a vulnerability. For instance, the probability of a threat actor accessing a remote employee's workstation when connected to an unsecured network cannot be accurately quantified.

Therefore, the goal of an IT risk analysis is to identify and prioritize the risks that organizations face, so they can be neutralized in the order of urgency.

IT infrastructure has changed for businesses across all industries. The cloud has become popular among organizations, BYOD policies are prevalent, implementing cybersecurity practices is a high priority, and the risk of enterprise AI looms large.

With so many organizations going through digital transformation, the IT risk factor has multiplied along with it. It is no surprise that 84% of the organizations without a systematic approach to risk and compliance efforts faced an IT supply chain disruption with their server, network, or their IT management software in the last 24 months.

And now, with the advent of AI-powered productivity, organizations are further exposing themselves to new risks, such as confidential corporate data being leaked by ever-learning LLMs. In fact, a survey report states that 61% of organizations are concerned about the business risks that can arise from using generative AI in their operations.

So implementing a formalized approach towards IT risk management, with an overarching governance, risk, and compliance (GRC) strategy, organizations can significantly immunize their operations from disruptions.

Improved infrastructure availability

Thorough risk management of the IT infrastructure involves mapping its potential failure points and establishing a continuous maintenance and upkeep of its functionality.

Case in point: In January 2023, the Federal Aviation Administration (FAA) faced a system outage that led to thousands of airlines being grounded for several hours. The failed system was called the 'Notice to Air Missions (NOTAM) database, which all pilots must check before takeoff for any runway closures. The NOTAM is a legacy system and was a critical point of failure. A proper risk management process would have resulted in either upgrading the system or adding additional checks to maintain its service availability.

Better control over brand reputation

A loss in business productivity can have a cascading effect. A major loss in productivity that affects the business's customers further erodes goodwill.

Case in point: Delta Airlines had an impressive record of having the lowest rate of cancelled flights in the USA and built up a reputation of reliability. However, in 2016, an organization-wide outage led to the cancellation of over 1,500 Delta flights, leading to thousands of passengers spending the night in the airport. Its reputation of reliability took a hit as stranded travelers began posting the problem on X (formerly Twitter), making #Delta a top trending topic, garnering negative attention from around the world. These are IT infrastructure availability risks caused due to a power outage that wasn't mitigated through a fallback plan, thus leading to operational failure on a massive scale.

Foster innovative initiatives

When risks and uncertainties that cannot be avoided or eliminated are determined and clearly communicated to employees, your organization can develop unique solutions to ensure productivity doesn't take a hit. Employees can use these solutions with confidence, since they're designed to accommodate the communicated risks.

Case in point: The Department of Veteran Affairs (VA) manages one of the largest integrated hospital networks in the USA. To leverage state-of-the-art technologies such as AI for its patients while mitigating the risk of compromising confidential health data, the VA has launched its Cyber Innovation Program (CIP). Through the CIP, the VA's technology team pilots new systems such as using VR headsets for medical analysis, simulated and tested in an external environment, and then gradually introduces them into the VA's system. The CIP serves as a testing ground to weed out any IT risks, ensuring veterans do not face any friction once an initiative is launched.

Sharper decision making

IT risk management essentially formalizes the vulnerabilities, threats, and weak points of the IT infrastructure. Subsequently, it offers IT leaders a structured approach to decision-making on its strategy and operations. With clearly defined risk factors, stakeholders can extrapolate to hypothetical situations and debate the efficiency of new initiatives before implementing them.

Case in point: The Bank of New York Mellon established an AI model to predict and reduce the risk of transactions in the treasury market that would fail to settle. The risk prediction model helped its digital banking team predict about 40% of settlement failures.

Since the goal of IT risk management is to ensure the confidentiality, integrity, and availability of the IT infrastructure, it is closely related to availability management, IT service continuity management, and information security management.

Availability management (AM) focuses on achieving the current applications and services requirements of the organization and setting up plans to scale up for future demand. As part of risk management, availability risks that surface as outages are recorded and managed. Further, when these risks surface, they are managed as incidents and problems.

IT service continuity management (ITSCM) deals with maintaining service availability and performance, but during and after disasters. Naturally, the process involves assessing the risks, analyzing them, and mapping the risks that could severely impact the IT services and applications.

Finally, information security management (ISM) manages the risks associated with the confidentiality and integrity of the organization data. Similar to other practices, the potential risks to sensitive data such as PII, health information, or financial data, are mapped using standardized risk assessment techniques, and they are neutralized using various risk management strategies.

IT risk management falls under the purview of the GRC division of an enterprise. Therefore, as part of GRC activity, every risk management process involves a few common steps.

There are numerous IT risk management frameworks (RMF) depending upon the industry standards and requirements. An IT RMF offers a standardized structure and workflow for IT teams to base their policies, risk mitigation measures, and monitoring systems on.

Here are few popular IT risk management frameworks:

There are four types of approaches to managing IT risks, and each approach can be used on the type of risk to be mitigated, the culture of the organization, and the risk management strategy.

Begin the journey with a base framework: In case your organization is just starting on its IT risk management journey, a good rule of thumb is to try to set up any industry standard as the baseline, and then build on top of it as the organization matures in understanding the risk management process and benefits. Generally, organizations begin with a popular framework such as the NIST 800-53 or the ISO 27001.

Frequent evaluation of IT risks: IT departments need to take an always-on approach to evaluating risks. The IT infrastructure is consistently changing, and the threat landscape is also constantly developing innovative methods to penetrate defenses. Further, it is equally important to validate the risks that are evaluated. The best practice is to produce documentation validating the answers and ensure answers are approved by internal stakeholders.

Set up policies with the leadership vote of confidence: Often times, when employees are educated or given guidelines on the do's and don'ts regarding IT risk, it can lead to partially successful compliance, where only some employees follow the guidelines. The best practice is to start from the top: get the C-suite to buy in and establish concrete IT risk management policies. With these policies in place, it's easy for employees to adhere to them and maintain accountability.

Maintain a stringent vendor risk assessment: Your IT infrastructure and data can face risks from external stakeholders, such as the vendors your organization depends on. It is imperative to do a thorough analysis of the vendor with an exhaustive list of questions and documentation to validate their claims. Keep a tight contract with exact verbiage that cannot be misinterpreted, and convey the expectations around the incident response timelines, reporting, offshore data access, service level objectives (SLOs), and service level agreements (SLAs).

Factor in organization scalability: If your organization is in a growth phase, the risk management strategy cannot be revamped every year to account for the changes. Ensure you have established a risk management strategy that can factor in growth agents such as the range of new threats, the growth of suppliers, or the change in employee count. A few examples of planning for scalable risk are setting a process to analyze any new technology before being used in the organization and choosing software that an organization can use for the next few years.

When you are getting started on your IT risk management strategy and assessment, it is easy to miss some best practices, which can creates a challenge later. So we drafted a short checklist to help you keep things on track!

An ITSM platform helps streamline IT service delivery, which includes managing incidents, identifying problems, tracking hardware assets and software compliance, and other practices. The nature of these practices complements IT risk mitigation and risk monitoring processes. For instance, if any identified risk—such as a cybersecurity threat—occurs, the incident response workflow would kick in as part of incident management efforts.

ServiceDesk Plus, the unified service management platform from ManageEngine, accelerates risk mitigation with its automated incident response workflows. Any alert raised from the IT infrastructure triggers the incident workflows, which would break collaboration barriers by automatically sending out notifications to the relevant technicians.

When a new vulnerability in the IT environment is identified and classified as an IT risk, ServiceDesk Plus can help find the root cause of it to eradicate it from the IT environment with the Problems module. You can also manage a known error database in ServiceDesk Plus to classify known vulnerabilities.

Another major area of high risk probability is the hardware and software used in the organization. As an ITSM platform, ServiceDesk Plus can discover, classify, and track hardware such workstations, servers, routers, and more. The Assets module in ServiceDesk Plus can also track software, identify its usage, and showcase the license compliance status of all software in use, reducing the risk of missing assets and non-compliance to software.

The CMDB in ServiceDesk Plus offers a visual map of the IT infrastructure and the relationship each component holds between between them. IT admins can modify and track the IT infrastructure as it scales up. IT risk managers can continuously update the risk profile as new components are added to the IT infrastructure. With the relationship map, IT risk managers can also infer the impact of any downtime of any IT component.

If you would like to revamp your IT service management to improve your GRC posture, try ServiceDesk Plus for 30 days, no questions asked. Or you can schedule a demo, during which our product experts will configure ServiceDesk Plus to your needs and showcase it.