In today's world, can everything represent a risk?

Information technology

We begin this 2024 with the expectation of how our information, our networks, users, clients, suppliers and relations with the government are protected, complying with the norms, rules and laws in this regard, however, a risk is omnipresent, we have already had the task of managing risks, threats, vulnerabilities and countless topics that we all encounter by region in the world, well, those in charge have to guarantee 100% cybersecurity.

Let's define risk as a representation of any type of uncertainty that can affect an organization's ability to achieve its business objectives.

Not everything is IT, we must consider that there are many forms of business risk, we can think of those included in those that involve projects, finances, cybersecurity, data privacy, regulatory compliance and environmental factors.

It is very simple to think that everything is bad, however, it is not this way, we can see that these risks are not all negative: there are also positive ones that present robust business opportunities, which is necessary is a planned and determined approach to understand and then manage the balance between risk and reward.

It is not strange for those of us in this fabulous IT profession that we end the year 2023 with a race among suppliers claiming to have the answer to all the eventualities that we could encounter in our daily lives.

The reality is that to date there is no provider that gives us a fully integrated solution, but rather we have to mix applications and solutions from various providers to try to cover our data, infrastructure and user protection layers as much as possible.

I am aware that many times our scope may include potential risk events caused by any number of cyber or technological root causes, including threats or failures in the technology logic or infrastructure hardware, that is, cyber risk exposures and IT, of course I am also sure that these can affect not only the organization and our IT systems, but also customers and suppliers.

Is it important to understand the scope?

Of course, risk factors can have a major impact on how businesses operate and prevent them from continuing to operate effectively.

The ability to face risk better than competitors is undoubtedly the factor that will contribute to the success of a company dedicated to computer security. Failure to do so could mean a disaster, perhaps irrecoverable, of course it depends on the impact and for these reasons, It is essential to apply a proven and consistent process to manage risk, built on a solid foundation for enterprise risk management.

I recommend that risk management be effective. How do we achieve that? Well, an organization must follow levels that comply with the following principles:

1. Risk management creates and protects value.
2. Risk management is an integral part of all organizational processes.
3. Risk management is part of the fundamental decision, that is, risk management explicitly addresses the uncertainty of the risk.
4. Management is systematic, structured and timely.
5. Management is based on the best information available.
6. It is said that management must be tailored, I particularly do not agree with this point, since there are some risks that change or evolve.
7. Risk management requires human resources and must take into account cultural factors; many of us work here with end users.
8. Risk management is transparent and inclusive.
9. Risk management is dynamic, iterative and responsive to change, it is adaptable.
10. Risk management facilitates the continuous improvement of the organization.

I consider that the best-known risk management process is the one described by the International Organization for Standardization, or ISO as a common acronym in different languages, in this case I am telling you about ISO 31000, its risk management standard, it includes extensive information on how to communicate, manage and report on various risks, in practice I know that the process is essentially the same for any type of entity and includes the basic steps to document, evaluate and manage risks.

We must be very skilled at further adapting risk management processes to the different elements of the business objective scope; For example, approaches to assessing risk for traditional, internally managed on-premises systems will be different compared to using a cloud service, where it is more dependent on the cloud service provider – this is combined responsibility.

Also, very important is adapting the depth and focus to the breadth of the scope; For example, a broad scope in a complex organization will require a significant amount of resources or compromises in evaluation quality; On the contrary, a limited scope can exclude risks that can significantly affect the organization. This is somewhat misleading, especially when we take it to the management of the company, since unfortunately many still believe that what is spent on IT and cybersecurity It is an expense instead of its true end use, it is an investment, which will return to us in many ways, such as; Otherwise we have to pay a penalty for loss of data, or have the operation stopped for not considering the possible risk scenarios, of course among many others, some fall into the legal field.

Taking into consideration the evolution of systems and malicious parties, I believe that by 2025, 60% of organizations in highly regulated industries will create a dedicated cyber risk management, or equivalent, function that will provide cyber risk expertise, support, cyber risk monitoring and challenging risk-related decisions by security and risk management leaders, and of course increasingly IT-trained staff.

You can have any tool that comes on the market for cybersecurity, you can invest a lot in hardware or cloud services, however, locally you will always need personnel with experience and knowledge about cybersecurity issues and what it entails, such as infrastructure, methodologies. , ISO's, metrics, compliance with SLA's, clients and suppliers, who also become partners in combating cyber risks, this is achieved when the IT members speak with those in the IT areas of the clients and suppliers, we can even add government specialists.

My reflection is: “We do not manage risks to not have risks, we manage risks to know which risks are worth taking due to their impact? Which ones will take us to our goal? Which ones have a sufficient cost to even take them? ?”

This is one of the most arduous and very laborious tasks when we present our risk management plan of any kind, convincing that it is necessary, that it is already an obligation to take this IT factor into account, even when it is not openly recognized, there are biases, however, organizations that do not yet have fundamental risk management capabilities to respond to these demands struggle to convince stakeholders of the value of risk management, much less effectively prioritize addressing risks based on of your objectives, address known problems and create business opportunities. Instead, they are forced to turn to negative themes as a basis for investing in the necessary risk mitigation measures.

It no longer surprises me, the use of alarming statistics, inflated risk exposures, failures of the competition or among the competition and other messages of fear, uncertainty and doubt is common, therefore, I recommend that we must analyse the effectiveness of the strategies, How much have you reduced probability and impact? Evaluate your contingency and mitigation strategies and reassign effective assessments to your risks.

Briefly, the 4 steps of the risk management process or plan:

Risk recognition:

• Identify all potential risks affecting the project.

Risk assessment:

• Prioritize identified risks based on the severity/impact of the damage.

Risk mitigation:                               Transfer the risk.

• Reduce the appearance of risk by applying security measures or eliminating/modifying certain aspects.

Risk control:

• Evaluate the effectiveness of security measures.

Risk management ?

We know that they are the activities whose objective is to keep the risk below the established threshold that are included in what is called Risk Management. It was considered that organizations that decide to manage the risk for their activity must carry out two major tasks:

Risk analysis

It consists of finding out the level of risk that the company is supporting. To do this, traditionally methodologies propose that an inventory of assets be carried out, the threats, the probabilities of their occurrence and the possible impacts are determined.

Risk treatment

For those risks whose level is above the desired threshold, the company must decide which is the best treatment to reduce them. This decision must always pass an economic filter where the cost of treatment, or cost of protection, does not exceed the cost of risk diminished.

On other occasions we have talked about risk management, I start this year 2024 with a brief reflection on what it represents, its obstacles and difficulties for its correct implementation, as well as some observations that generally come in the fine print or are simply not said.

Dear Network, contacts and colleagues, may this year be very successful and may we have health and happiness, without further ado, for the moment, I look forward to your comments.

His friend,