Threats to data security and data systems are becoming more common and costly to organizations. Along with greater emphasis on cloud computing and collection and storage of big data, information security is listed as a major reason for increased demand of computer and information technology occupations. The U.S. Bureau of Labor Statistics (BLS) projects that these positions will grow 13 percent by 2026.
The employment increase for cybersecurity professionals will be even greater. The BLS reports that demand for information security analysts is expected to increase 28 percent by 2026. Cyberattacks have grown in frequency, and analysts will be needed to come up with innovative solutions to prevent hackers from stealing critical information or creating problems for computer networks, according to BLS.
One component of protecting an organization’s computer network and systems is the IT risk management process.
What is IT Risk Management?
Risk management is the process of identifying, assessing and taking steps to reduce risk to an acceptable level, according to the National Institute of Standards and Technology (NIST).
Risk occurs in many different areas of business. For instance, companies face the constant and rising threat of data breaches each year. In the annual Cost of Data Breach Study, conducted by Ponemon Institute and sponsored by IBM, figures are analyzed to evaluate the cost of data breaches. The 2017 report had the following takeaways:
- The global average cost of a data breach is down 10 percent over previous years to $3.62 million.
- The average cost for each lost or stolen record containing sensitive and conﬁdential information also signiﬁcantly decreased from $158 in 2016 to $141 in this year’s study.
- Despite the decline in the overall cost, companies in this year’s study are experiencing larger breaches. The average size of data breaches in this research increased 1.8 percent to more than 24,000 records.
Even with a decline in the average cost of a data breach, it is obvious that breaches are costly to businesses. Organizations need to ensure systems and software applications are protected, replaced when needed and updated when newer versions are available. New risks can develop around these systems and applications, and as the NIST notes, new risks will surface as security policies change over time and as personnel turnover occurs.
Pursue a Career in IT Management or CybersecurityExplore Degree
Personnel is a major factor in risk management. “We may see a heavier focus on engineering and analysts, and a lot of companies are probably going to be looking for designated leadership with cybersecurity,” Stephen Zafarino, senior director of recruiting at national staffing agency Mondo, told TechRepublic. “They’ll also be making sure the right infrastructure is in place, as companies are starting to realize that everyone is a potential threat and taking measures as a result.”
Risk management requires strong personnel and processes to protect against the many threats involved in business. Actual IT risk management processes offer a step-by-step way to identify, assess and reduce risk.
The IT Risk Management Process
Risk management is a comprehensive process that requires organizations to complete four steps. When managing risk, personnel are involved in this complex, multifaceted activity that requires the involvement of the entire organization — from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals operating information systems supporting the organization’s missions/business functions, according to a NIST report on managing information security risk.
The following steps comprise the IT risk management process.
Step 1: Framing Risk
The first component of risk management establishes a risk context. It looks at the environment where risk-based decisions are made. This step establishes a foundation for managing risk and delineates the boundaries for risk-based decision within organizations. To establish a realistic and credible risk frame, organizations must identify the following:
- Risk Assumptions: assumptions about how threats, vulnerabilities, consequences/impact and likelihood of occurrence affect risk in terms of assessment, response and monitoring over time
- Risk Constraints: for example, constraints on the risk, assessment, response and monitoring alternatives under consideration
- Risk Tolerance: levels of risk, types of risk and degree of risk uncertainty that are acceptable
- Priorities and Trade-Offs: the relative importance of missions and business functions, as well as trade-offs among different types of risk that organizations face
Step 2: Assessing Risk
This step focuses on assessing risk by identifying the following:
- Threats to organizations
- Internal and external vulnerabilities to organizations
- Consequences and impact to organizations that may occur, given the potential for threats that exploit vulnerabilities
- The likelihood that harm will occur
Supporting the risk management step involves identifying the following:
- Tools, techniques and methodologies used to assess risk
- Assumptions related to risk assessments
- Constraints that may affect risk assessments
- Roles and responsibilities
- How risk assessment information is collected, processed and communicated throughout organizations
- How risk assessments are conducted within organizations
- Frequency of risk assessments
- How threat information is obtained, including sources and methods
Step 3: Responding to Risk
This step addresses how organizations respond once risk is determined, based on results of risk assessments. It is designed to provide a consistent, organization-wide response to risk by performing the following:
- Developing alternative courses of action for responding to risk
- Evaluating the alternative courses of action
- Determining appropriate courses of action consistent with organizational risk tolerance
- Implementing risk responses based on selected courses of action
Step 4: Monitoring Risk
The final step of the IT risk management process addresses how organizations monitor risk over time. The following tasks make up the purpose of this step:
- Verify that planned risk response measures are implemented and information security requirements are satisfied (organizational missions/business functions, federal legislation, directives, regulations, policies, standards and guidelines)
- Determine the ongoing effectiveness of risk response measures following implementation
- Identify risk-impacting changes to organizational information systems and the environments in which the systems operate
Pursuing a Career in IT Risk Management or Cybersecurity
Pursue a career in IT management or cybersecurity with a Master of Science in Cyber and Homeland Security Administration from Fairleigh Dickinson University online. The program focuses on practical and theoretical aspects of enforcing and ensuring homeland security and includes several areas of specialization, including cybersecurity. There is a strong emphasis on leadership throughout the program. The University strives to provide students with the multi-disciplinary, intercultural, and ethical understandings necessary to participate, lead, and prosper in the global marketplace of ideas, commerce, and culture.