Managing The Risk of Change
Imagine how much easier our lives and jobs would be if the world stood still for a little while. If we could push pause, and make our organizations and the related IT networks and systems stay the same, no new regulations, acquisitions, vulnerabilities, or threats. If only we could just keep things the same so we could catch our breath for a few moments and fix some of the things that are already on our to-do list. Unfortunately, this pause button doesn’t exist yet and we are forced to live with the old adage: the only constant is change.
Change isn’t always a bad thing. It can simply just prove difficult to handle and understand. When it comes down to it, many times it’s how well we manage and adapt to change that determines if we are successful. Fundamentally this what Darwin’s Theory of Evolution is about. The world is full of examples of organizations that didn’t adapt to change and subsequently are now “extinct” (let us take a moment of silence for Kodak).
We know we must continually change and evolve in order to survive. In this day and age, this is more apparent than ever. If you stand still, even for a few years, the competition and the market may blow past you. In the case of the IT and security fields, it’s even tougher because there are new threats developed every single day that we need to learn how to combat in an instant. For all of us in IT and security, understanding how to analyze the risk associated with the change is critical. Both upfront, in order to inform decision makers, as well as after the fact, ensuring that the impact of change is monitored to identify unforeseen issues or unintended consequences.
We can group the main types of changes we are facing into two categories:
- Technical changes
- Changes in the network (new systems/applications) (before and after the decision has been made)
- Changes in the technology landscape (e.g. cloud adoption)
- Changes in the IT infrastructure (network and system upgrades)
- Changes in the security architecture (upgrades, new technology) – Understanding how this affects our risk, and productivity
- Changes in the threat landscape
- Business changes
- Changes in the business (mergers, acquisitions, divestitures, hiring/staffing, budget/spending) – understanding how this can affect our risk, ability to meet SLAs, priorities.
- Changes in the legal and regulatory landscape – understanding how this could affect our risk (financial loss exposure, and create additional work)
- Changes in corporate policy
As security and risk managers, we need to be able to identify, analyze, act-on, and monitor these changes. In IT we have change management, which typically focuses on managing the changes around IT systems. What we are referring to here is thinking about change management at the enterprise level. We need to raise our gaze outside of just IT, to the organization and the environment in which the organization is operating. In future posts we will explore these ideas in more depth and provide practical advice on how to apply them.