The way in which companies interact with their employees, customers and other organizations is changing at an unprecedented rate. Mobile computing and new technologies such as cloud computing and social media are breaking down the walls of the conventional office and demolishing the old IT risk paradigm.
For example, an organization’s hardware is now operated in low-cost countries, software is provided in the cloud and an organization’s data is held all round the world. Corporate data is transmitted over the internet, communicated and discussed on social media channels, and can travel around the globe instantly through a variety of channels and platforms, captured on employees’ smart phones, tablet computers and personal computers. These high-tech devices, through which data now flows freely, were once only the exclusive domain of the employers who provided them, but now they are mostly owned by employees. The result is personal information and important and proprietary company data often residing on the same low security devices.
Faced with these complex and ever-changing layers of risk in this new ‘world without borders’, IT risk programs must expand and adapt to meet these challenges.
IT risk has historically been dismissed as the sole responsibility of the IT department, and has not been considered a strategic business risk requiring an enterprise-wide focus. However, as the pervasive use of IT tools and technology continues to grow, impacting virtually every aspect of business function, it is becoming increasingly clear that managing IT risk is less about just IT, and more about managing risks for the whole business. Organizations must now include IT Risk Management (ITRM) within their overall enterprise-wide risk management approach.Over the years, our annual Global Information Security surveys1 have revealed that board members and audit committees are increasinglyinterested in information security. This is one of the most important measures an organization can take to potentially reduce IT risk. However not all IT risks are covered by information security; there is a lot more to do.