IT Risk Management: Allowing An Open Environment With A Secure Framework

The growing complexity of today’s IT environments, compounded by decreased IT budgets and the adoption of new technologies like cloud and mobile devices, has exposed today’s organisations to more risks than ever before.

As a result, organisations face a massive challenge: how do they balance the need for flexible and open access to their company’s IT infrastructure (so business can be conducted) with the need to mitigate risks associated with that access (so bad things don’t happen)?

Effectively managing IT risk requires corporate diligence above and beyond simple security checklist. Companies must achieve a level of transparency and risk management that protects against real security threats that exist inside their organization.

There are three primary strategies organisations should pursue for managing risk in association with securing their IT infrastructure.

1. They must instill a risk management discipline across the organisation

This requires a formal categorization of risks in order to understand potential threats and vulnerabilities, and to implement the appropriate set of controls to balance the business’ need for convenience, usability, and availability with the need for security measures that mitigate risk. This includes implementing the necessary controls to eliminate specific risks such as workers who hold access privileges they don’t need, terminated workers whose access privileges are not removed, or toxic combinations of access privileges that increase the potential for fraud, etc.

2. To effectively address risk, organisations must deploy “identity intelligence” tools that provide visibility and improve control across large numbers of enterprise systems, applications and data

In order to achieve transparency and better manage risk, the organisation will need to inventory, analyze and understand the access privileges granted to employees, partners, and sometimes even customers — and to be ready to answer the critical question on demand: “Who has access to what?” Compiling and correlating this data manually is usually not a viable approach due to the complexity of the IT environment and the frequency of changes that routinely occur to user populations. Therefore, an automated approach that provides data on demand is required.

3. The overall security strategy must foster collaboration between business staff and IT staff in order to effectively manage risk

Addressing risk requires business-level participation, as business managers need to align IT operational policies to business policies and priorities. Likewise, IT is in the best position to gather the data on who has access to what and report back to the business people to let them determine if that access is correct or not.

Managing risk is no easy task, and certainly, no one technology can address all aspects. But as organisations struggle to address today’s business requirements, a governance-based approach to identity management enables an organization to create a cross-department, enterprise-wide process with a layer of intelligence to give enterprises the business insights needed to strengthen IT controls and reduce operational risk. The better a company understands which users have access to which corporate assets, the better it can realistically understand its potential security vulnerabilities.

In his role as president of SailPoint, Kevin oversees product development, marketing, sales, operations and client services on a global basis. Under Kevin's leadership, SailPoint has achieved landmark growth, posting triple digit revenue and customer growth, expanding to more than 180 employees, and building a global presence in North America, Europe, Asia and Australia. Kevin works continuously to sharpen SailPoint's strategic focus and to align strategic partnerships and corporate development with long-term expansion opportunities. Kevin previously served as founder and vice president of marketing for Waveset Technologies, where he turned ground-breaking innovation into tangible market results. Following the acquisition of Waveset by Sun Microsystems, Kevin led strategic product initiatives for Sun's software portfolio. Kevin has also brought innovative technologies to market for companies including IBM/Tivoli Systems and UniSQL.