We all know what an ideal budget looks like: every factor is neatly categorized as its own line item, strategic initiatives are fully funded, all the numbers balance, and nothing ever changes throughout the fiscal year. When it comes to budgeting for Information Technology (IT) risk management, every possible issue has been identified and provided for.
Now, let’s talk about reality.
The cold, stark reality of IT budgeting is that there are plenty of IT risk management issues that can easily be overlooked … and end up biting you in the budget. Here are five to put on the agenda for your next IT staff meeting so that you don’t find yourself footing an unexpected (and nasty) bill later in the fiscal year.
1. Avoid Getting Bitten In the Budget By These Information Technology (IT) Risk Management IssuesAssess third-party technology availability carefully
A lot of companies today have integrated supply chains which incorporate third-party IT technology partners – ITaas, IaaS, PaaS, SaaS … the list of “as a service” offerings continues to grow.
These third-party vendors are of critical importance in the supply chain; unfortunately, IT is often guilty of not funding assessments to explore the risks their third-party partners might represent, or to find out what would happen if those third parties experience a technology availability failure.
Think about it for a moment: what would happen if a critical software application went down? Or if your infrastructure was unavailable for an hour … or six hours … or 24 hours? Most likely, the repercussions would be felt up and down the supply chain, from the top executive to the final customer.
The solution is that you need to go beyond a “check the box” mentality when you ask about your third parties’ business continuity and disaster recovery (BC/DR) plans. You need to probe deeply into exactly what those BC/DR plans consist of, how they can ensure availability despite an event taking place, and how the vendor has validated the effectiveness of those plans. Anything less than solid proof of availability has the potential to come back and bite you in the budget.
2. Understand all your interdependencies
Interdependencies multiply constantly in today’s business environment. Applications, platforms, infrastructures, systems, networks … all combine to create a veritable spider web. Touch one silvery filament, and the tremor can be felt in a dozen seemingly unrelated areas.
It’s vital for IT departments to understand every strand and juncture of this spider web so that they have a valid and comprehensive perspective on how an issue in a given area would impact the supply chain – and plan accordingly.
Take a classic example: a company has a legacy infrastructure supporting a mission-critical application designed to be continuously available. But the legacy infrastructure itself can’t meet the necessary availability requirements. Because of this interdependency, the application is at risk, as is everything that relies upon it. The IT department needs to take action to replace or harden the legacy infrastructure to bring it “up to code.”
There are a lot of platforms, applications, etc. today that are out of alignment with business requirements. They may be working fine right now, but they cannot guarantee the continuous availability business demands. IT needs to search these out and fix them to get in sync with today’s business landscape.
3. Decide what to do after a breach
There is a lot of emphasis today on threat analysis and prevention – and rightly so. But breaches can and do happen, despite an IT department’s best efforts. If a company experiences a breach, it costs. However, it will cost a lot more if IT hasn’t taken the time to decide what to do in the aftermath of a security breach.
This is the area of cyber incident management. What is IT’s response plan to a breach? How will they minimize the effects of a breach? When will they perform appropriate forensic work to identify what happened and prevent it from recurring? Does IT need to re-evaluate their spend to better manage customers or internal stakeholders in the event of a breach? The reactive measures following a breach for new software, consulting services, and IT infrastructure appliances can greatly impact an IT budget unexpectedly. Proactive planning around a breach and the reaction to it can help limit the unplanned costs for IT if an event were to happen.
4. Consider disaster recovery when engaging in application/systems development
Application/systems development takes place in a pristine sandbox. There are no unplanned outages, no business interruptions, no hacks. Then, the application/system is deployed in the real world and – surprise, surprise – things are no longer so rosy. The first incident typically wreaks havoc on the application/system and everything downstream of it.
IT needs to build disaster recovery (DR) into the software development life cycle (SDLC) process when engaging in application/systems deployment. Vulnerabilities should be explored and mitigated while still in the “sandbox” phase so that the appropriate upfront budgeting can be justified as part of the development process. This will require changes to the initial scope and budget of the project, but the costs are far less than either retrofitting recovery into the application/system after it has been deployed or, worse, repairing disaster damage on the backend.
5. Keep up to date with change management requirements
Weak IT change management discipline always costs in the long run. Applications and systems may be running with outdated or non-supported software or infrastructure versioning. Production environments get out-of-sync with recovery environments. Security updates and patch implementation lag behind.
In every case, risk increases. And with increased risk, the probability of a problem – be it a hack, a software failure, a botched recovery, a broken interface, etc. – gets higher. So to avoid having to explain an unplanned capital expense, it is in IT’s best interest to be rigorous about change management across ALL aspects of IT.
No one likes surprises – particularly when they involve money. By taking these five often-overlooked IT risk management issues into consideration, you can avoid a multitude of unpleasant situations that could bite you in the budget.
Core Business Solution: Business Continuity