How far does your company’s IT risk assessment strategy go?

In the wake of COVID-19, the digital threat vulnerabilities of many organisations are growing exponentially as companies have rapidly embraced digital pathways and platforms to keep businesses afloat over the past 12 months.

Technology risk was traditionally conceived as the consequences of the failure of technology. Today however, IT risk management functions have expanded in tandem with businesses’ ever-increasing dependence on technology to deliver solutions. While technology has improved business functions in areas such as automation, business intelligence or cloud computing, it has also exposed growing gaps in cyber-security, data exposure and user error.

This article explores the growing need for robust digital security, advice on how to reduce technology risk as well as three roles that can protect and defend your business against digital threats.

Technology risk professionals are more in demand than ever

In 2020, the world witnessed one of the fastest adoptions of technology in the workplace in response to the global COVID-19 pandemic. In many instances, this adoption took place before some organisations had the appropriate procedures and systems in place to protect their business from cyber-attacks.

The requirement that many employees work from home, for example, required a massive shift in the way businesses store and access digital files. Secure systems that were once manual or required a user to be on-site, now needed to be accessed online and off-site – and quickly.

This rapid uptake in new technologies and processes has disproportionately affected more traditional institutions (think banking and healthcare, as examples) which were, in many instances, not equipped to deal with such a quick pivot. These are the same institutions that , according to a recent report by Protiviti, were hesitant to change in the first place, given many were underpinned by old, out-of-date legacy systems and processes, which necessitated their IT teams to work reactively, rather than proactively, as the pandemic hit.

Furthermore, according to recent research by Robert Half, 63% of Australian CIOs believe the pandemic has amplified the skills shortage in technology due to the increased competition for top talent.

While some organisations have bolstered their technology risk management capabilities, the ones that have not will need to ensure that they have a robust strategy in place to tackle any cyber-threats as well as a proactive hiring plan to secure the right talent to implement this strategy.

The state of technology risk management in 2021

A need for innovation

According to our colleagues at Protiviti, the biggest technology risk that most businesses face today is a lack of innovation.

Most technology risk teams only have the bandwidth (and remit), to focus on the downsides of business-wide technology adoption. But a failure to adapt to the rapid pace of change means businesses may miss out on commercial opportunities due to a failure to achieve ‘first mover advantage.’

A failure to adapt to the market ¬and innovate ¬can be just as risky to business outcomes as password theft and security breaches.

A need for greater communication

Another major issue that technology risk teams face is poor communication, and an inability to effectively connect their work with overarching business strategies and functions. Much can be lost in translation, so there is a real need for people who can translate and connect with other business units, reducing the silo effect many IT teams can face in larger organisations.

According to a survey of technology risk functions by Protiviti, there is little integration of technology risk functions evident across many organisations. Many were, instead, scattered throughout distinct teams, each performing individual technology risk activities - each with their own distinct methodologies, leading to duplicate efforts and difficulties in reconciling findings/conclusions.

How to reduce technology risk

Understanding technology risk professionals as not only necessary for security and compliance, but also as agents of innovation and change in the workplace can be a first step to addressing technology risk.

Here are three tactics worth exploring to reduce technology risk:

Businesses need to be more pre-emptive and holistic in assessing technology risk

Effective technology risk management teams need to be forward-looking. This cannot be achieved if technology risk responses are implemented only after a negative situation has arisen.

There is also an opportunity for the function to be more effectively integrated into strategic business planning. This could lead to the technology risk function being viewed less as a cost-centre, and more as a valued business partner, which will allow businesses to be more agile and responsive to changing commercial demands.

This view is further supported by the work done by Protiviti, who recommend greater integration of technology governance, risk management, and compliance activities.

Businesses need to invest in the right people

At the end of the day, an effective technology risk function can only happen with the right people, and the right mix of technical and soft skills.

Currently, 53% of CIOs in Australia believe it will be more challenging to find qualified technology employees compared to pre-pandemic conditions, according to a recent survey by Robert Half.

At a basic level, candidates will also require prior knowledge with IT auditing and risk, and experience with cyber-security. And there is increasing demand for agile technology leaders with the business acumen necessary to translate the added value the IT function offers.

Such experience can be challenging to find in today’s skills-short market, but these skill-sets are indispensable.

Explore managed security service options

Another option for companies is to place their cyber security operations in the hands of a managed service provider. This can help to solve their twin challenges of skills shortages and a fast-moving technology landscape – and leave them to focus on what matters most.

Managed services usually require the oversight of an experienced professional within the business, but they don’t demand the roles needed to run a full department. Ultimately, the Chief Information Security Officer can still oversee what’s happening and make decisions. But the operational headache of running cyber-security operations is taken away.

Unlike outsourced services, which can sometimes be opaque and replicated for thousands of customers, managed services also aim to be customised and transparent. Clients can understand what these platforms look like and how they operate. This means that services can be continuously improved, and given back to businesses in a better way, if they are taken in-house at a later date.

Look out for more on this trend: threat detection and response, vulnerability management and pen testing (as a service) are growing.

3 professionals who can manage technology risk

1. IT Security Consultant

As digital systems grow in complexity, they provide billions of new entry points for cyber-criminals to exploit, according to a report by McKinsey & Co. A contractor such as an IT Security Consultant can be recruited to successfully manage these cyber-threats.

The IT Security Consultant’s job is to assess and address potential security threats, and to secure a company’s digital assets. It is their responsibility to create contingency plans should such incidences occur; design and implement security protocols, plans, and policies; and run risk assessments and security tests.

IT security consultants are required to work closely with non-technical staff, so they must have strong communication skills and the ability to work effectively with teams to implement an effective technology risk function and possess fundamental skills that accompany cyber-defence and data protection.

DID YOU KNOW: According to a recent survey by Robert Half, 36% of CIOs in Australia are finding IT security the most difficult specialist skill to find amongst candidates.

2. IT Business Consultant

Bridging the gap between the technical team and the non-technical business units can be the IT Business Consultant. It is their responsibility to implement technical solutions to meet business objectives, which includes mitigating technology risk factors.

Like IT security consultants, the IT Business Consultant is often a contractor or outsourcing solution hire, coming on board to address risk quandaries identified by the business. Their role will demand prior knowledge and expertise in project management and change management.

DID YOU KNOW: 55% of Australian CIOs plan to utilise contract professionals to access specialised skills and subject matter expertise.

These consultants can be a key component of the technology risk management team, as they are often the ones driving innovation through the adoption of new and novel technological solutions.

3. Chief Information Security Officer (CISO)

The Chief Information Security Officer is responsible for the security of a company’s digital infrastructure. They manage and direct staff to identify, develop, implement, and maintain procedures within an organisation to reduce technology risk.

This C-suite title is not new; according to a report jointly produced by PwC, CIO.com and CSO Online, 85% of large businesses have a CISO or equivalent. Importantly, companies without a CISO (or equivalent) were more likely to find their employee security training insufficient. Further, many found their security strategy to be insufficiently proactive.

The CISO plays a vital role driving information security initiatives, and as such, are arguably the most important technology risk advocate an organisation can have.

It should be noted that while not every company will have the headcount capacity to hire a CISO, businesses should nonetheless ensure their internal technology leader is driving an effective technology risk strategy and has the necessary experience and skills to facilitate this whether through running regular IT risk audits or developing protocols in response to ongoing cyber-threats.

Building your technology risk talent pipeline

Hiring the right talent is an essential part of reducing IT security threats to a company’s digital assets and infrastructure. With the right mix of people, technical skills, and soft skills in place, businesses can focus on building a strong risk management strategy to drive innovation, mitigate risk, and propel the business forward.

Technology risk management is a business function that needs the space and opportunity to be viewed as an operational necessity, especially under today’s circumstances where so many companies are highly dependent upon technological deliverables and solutions. Moreover, the message needs to be clear that they can provide greater value to organisations than simply reactive protection and meeting compliance demands.

Given the bandwidth, resources, and opportunity, technology risk can be a source of innovation in the workplace, providing business insights that may be overlooked by other organisational functions.

Robert Half and Protiviti continue to help many clients with sourcing high-quality IT talent. We have access to a strong network of interim and permanent technology professionals. They are ready to help your organisation meet its rapidly changing IT and cyber-security needs. Contact us today.