Balancing IT Risk and Opportunity

By David Williamson, CISSP, CGEIT, CRISC, Vice President – Professional Services, MetricStream

davidwilliamsonFor business managers, moving portions of our company’s most valued information assets into the public cloud, while compelling economically, raises a thicket of difficult risk and compliance questions.

  • From a business perspective, considering reputational and other risks, do the economic advantages outweigh the risks?
  • Can anybody in my company really answer:  if we move these processes and data into the cloud, will we still be fully compliant with all of the necessary “legs and regs” we must comply with?  How do we really prove that?
  • Frankly, our IT partners are hardly impartial in the decision; we’re allocating our IT shop’s funds to buy cloud services.  Are their security concerns perhaps a little overblown?

To answer these questions, risk and other professionals need to perform the business equivalent of alchemy:  transforming security “bits and bytes” into business data we can understand and operate upon.  This is where a good GRC framework can be pure gold.

An integrated GRC framework will allow you to understand how security threats and vulnerabilities affect the systems that support your core business processes.

Security “sensors” which detect malicious behavior in the networks, or the existence of threats and vulnerabilities, can be viewed through a risk and compliance lens.  Different types of IT risks can be assessed for probability and impact, mitigated, transferred, or accepted, and the residual risk impact compared against the economic consequences of other risk types.

It’s just a simple fact that there will always be some degree of risk in systems.  The Executive Suite craves objective data about how these risks, including the risks of non-compliance with key regulatory requirements, compare against other risks to the enterprise.  An integrated GRC framework can allow executives to meaningfully weigh IT risks and opportunities against other corporate risk and opportunities, and make informed decisions about where to invest scarce corporate assets.

Leave a Reply

The name and email fields are solely used to comment on posts. Cloud Security Alliance does no further processing of this data. See Section 3 of the CSA Privacy Policy for details.

Share this content on your favorite Social Network.