Over the past twenty years, Information Technology (IT) has become more and more central to business. IT organisations operate in a complex, vulnerable, and rapidly changing environment. Their mandate spans from managing business critical processes, a multitude of technologies, to operating in a virtual ‘Cloud’ environment. This complexity, together with cost reduction imperatives, has driven many organisations to outsource part of their services, where data, processing, or even the services themselves are managed by a third party.
This distribution of roles, those inter-connections, and the exposure to growing cyber-attacks adds tremendous levels of risk. What used to be manageable by a single person in charge of “security”, may now require 10 different experts. A bottom-up approach whereby individuals manage risks at their level, has unfortunately reached its limits. Whilst the most natural and easy approach, it actually does not guarantee an integrated view and governance of all IT risks. The collection of information is painful and tedious.
Collaboration tools are also often inefficient in identifying new risks or assessing a risk increase and its impact.
Michael Rasmussen, the GRC Pundit, pointed out that “A reactive approach leads to more exposure and vulnerability ”. This results in a negative impact to the business, which in turn can mean higher costs or even public disclosure from the failure. Many organisations have called for IT Consulting firms to help them understand the nature and magnitude of their risks. The outcome is often that IT organisations need to implement a real “IT governance” framework, sustainable, integrated, agile.