Risk in IT

My preferred title for this post is RiskNiT. I should register it as a trademark, and iT will stand for innovation rather than information. Years ago, someone decided that the moniker for all the new computer and communications based technology around us should be no simple term like information and communications technology (ICT) as the quaint Europeans would like to call it, but  information technology (IT). And since the United States not only led in the development of much of the standards, protocols and monetization of the technologies, it is natural that IT would soon stick. And sure, IT makes sense as information technology all these years – since that was the key driver for over two decades. Collection, organization, transmission, transfer, transformation, protection and governance of data (nay, information) were the key draw in the first two decades of the IT age.

In the last two decades, corporations, governments, not for profits (also called NGOs in other parts of the world), and increasingly individuals have built empires of information. Search (led by Google) exposed that empire for what it is; as it revolutionized discovery and utility of information in the form of viral, semantic, metadata discovery and optimization, decision support and many other constellations of data discovery and manipulation, and knowledge management schemes. But the interesting phrase here is knowledge management. Indeed, information technology has been mostly about knowledge management in the last decade or so, with the infrastructure to support it. In too many instances, the focus was on the infrastructure, rather than the knowledge – making the case for alignment. But the opportunity for tomorrow (or let say today) is not in the realization of the preceding facts, but the acceptance of the next fact: The key value of computer and communication infrastructure today is innovation. Innovation has always been the i in IT, but who knew?

IT (or iT as I prefer to call it) has been all about innovation all along. As technology matures, entrepreneurs, governments, corporations, politicians, schools and other entities, smart enough to see the potentials have leveraged it to foster and in too many cases create innovative outcomes. See how social discuss have been revolutionized in the United States and around the world through the power of new technologies – twitter, facebook, youtube and google all come to mind in recent memories. And see how cost of business, and reaches of corporations have been transformed with plunging cost of communications as well as increasing options for doing communication via email, voice carried over data networks, integration of voice, video and interactive texts and many other ideas. But with these transformational potentials, iT remains saddled with risks. And this article is ultimately about the risk in iT.

Today, and expectedly, in the foreseeable future, iT will either drive or be at the heart of every system of modern life from health care to energy, from education and learning to politics, from governance to entertainment and everything else in between and beyond. But herein lies the risks. iT has demonstrated a penchant for fostering interconnectivity and interdependencies, and opportunists are want to identify vulnerabilities within complex and interdependent systems for their own, often illicit gains. iT provides a very broad attack surface for such opportunists, be they hobbyist mischief makers, professional criminals, cyber terrorists, industrial spies or nation-state spies. Thus the need to protect iT infrastructure from the threats of attacks is real and evident, and that continues to be a key driver for regulations, standards, and best practices guidance.

In order to develop an appropriate response to a threat, the threat needs to be clearly understood – or at least efforts must be made to understand the threats before rational protections can be developed. In innovation (Information) technology, threat is best elucidated from a risk perspective. Risk can be viewed from two broad perspectives -

Interestingly, there are two visions of risk: One that considers Risk and Security as different ends of a spectrum, and another that sees risk as a superset (or even sometime a subset) of security. Being a proponent of the former and an advocate for risk based approach to security; this article will tend towards that bias. Security is a state of being immune from value damaging or value destroying vulnerabilitiesRisk expresses the potential of losing value. One is a snapshot of being, the other is probabilistic, an expression of uncertainty. In another work, I will expand these two ideas and demonstrate their value to the discussion of cyber and other security, and the potentials for monetizing them in areas outside of the financial and trading industries as it currently exists.

So there is enterprise risk (beyond, and, including technology), and technology risk as a subset of enterprise risks – these are the two core concerns of this paper. Indeed, technology risk (the common term in literature is information (and related) technology risk, is a subset of operations risk; since modern enterprise operations depend on technology largely. But technology risk may spill over into other specters of enterprise risk. From the previous sentences, we could develop a multi-dimensional view of risk – one associated with security, the other with opportunity. In the security plane, risk is related to vulnerabilities and value; and in the opportunity plane, it is related to benefits and value. The risk in iT is a function of the value of the technology, the opportunities of adoption or non-adoption, the vulnerabilities tied to adoption and the cost-to-benefit ratio of the technology to the enterprise – short , medium and long term.