back to article IT risk becomes board-level issue

IT systems have become so integral to businesses that their failure can have disastrous consequences for an organisation, according to analysts Gartner. The run on UK bank Northern Rock, resulting from saver fears after the firm went to the Bank of England for finance after loans on the money markets became unobtainable, is …


This topic is closed for new posts.
  1. Alastair Dodd

    errr that paper has a stupid title

    "IT risk is too important to be left to IT departments,"

    So the Beancounters and al the people who have no clue about it should have control? BAD IDEA.

    Be sensible and put the head of IT on the Board. My company has a very strong business risk factor with our IT as it's the core of the business, hence we have a IT director on the board. Shame he won;t spend any money so our systems seems to be held together with sellotape and gum, but at least he's on the board.

  2. Magnus Egilsson

    At the risk of sounding negative . . .

    Its simply funny seeing a company like Gartner announcing the common knowledge and proly make loads of money on it. Good biz.

  3. Alan Paice

    IT need to sit on boards

    Whats a point of explaining to people whos focus is and rightly so on making money for the business. This is the reason why an I.T director needs to sit on the board. Not however just some one who did a MBA but barely knows how to turn on their PC.

    I mean Technical managers (may be an MBA?), promoted to the board of directors who know the risks, and the technical solutions to them and not just lots of business and management buzzwords.

  4. druck Silver badge

    Oops the plug fell out.

    IT systems may be of vital importance when you are retailer trying to sell things over the internet, or offering online banking services in normal times. But when tens of thousands of people are trying to get their money out, threatening to send the bank under, having the plug accidentally fall out the back of the web server so they have to go an queue up in the rain outside the branch, isn't such a bad thing. It would be a real pain in the arse if your disaster recover system kept everything going then.

  5. Ian Sargent

    The message to middle and senior management - WAKE UP!

    Unfortunately this seems to be an area that is getting worse rather than better in this country and much of the problem can be resolved with a bit of education and common sense – and some money of course.

    Some of the issues:-

    1. ‘Highly qualified’ IT managers in small/medium sized organisations that are quite simply ignorant of even simple risks (IT) within their department or within the business as a whole. They may have an IT related degree (or whatever!?!?) but have little or no ‘business acumen’ and are unable to see further than their nose while, one way or another, the big picture is ignored or worse still take the attitude of “It’s not in my job description”.

    2. Insufficient funding for IT departments to enable them to provide proper protection against known risks and plan for currently ‘unknown’ risks.

    3. Most IT departments are ‘cost centres’ and this, in my opinion, is wrong. They should be ‘profit centres’ and charge their users accordingly for every byte of storage and data transfer used so that relevant levels of ‘protection’ can be provided without the need to go begging for additional funds – that in many cases are desperately needed.

    4. Ignorance, from middle management to board level, of even simple issues relating to IT risks that can be seriously detrimental to the business as a whole.

    5. Management, up to board level, simply not listening to IT managers who DO know what they are talking about.

    6. Dare I even mention the ‘jobs worth’ brigade? Those people who couldn’t manage their way out of a wet paper bag but who are however brilliant at justifying and protecting themselves and who get promoted sideways rather than being fired?

    7. The perception of IT has changed over the years and is now seen, by many, to be much simpler. Let’s face it, our children now leave school with a high level (??) of knowledge of ICT and the Internet – so how difficult can it be?

    The fact is that much of IT - at the user level - IS simple, unfortunately many people see and believe this is still the case when it comes to ‘business systems’ as a whole, the truth however is very, very different. Just ask the MD what the effect would be if he/she lost his/her PC for 24 hours because of a disk crash – with vital unprotected information on it? Worse still, ask if they know/realise what the effect of losing a major system for 24 hours would be? Don't be surprised at the answer though!

    The message to middle and senior management - WAKE UP!

  6. chris stephenson

    More Governance

    In my experience IT risk auditors are finance types who don't understand IT and thus cannot adequately assess the risks. And if they are auditing my systems I may be unwilling to point out thier oversights. Regardless it's a tick in another governance box.

    This is set to become a growing revenue stream for the big 5. And for many folks another good reason to outsource.

  7. Andy Bright

    IT risk is too important to be left to IT departments?

    Interesting, but hardly surprising. After dealing with the kind of car-salesman this guy obviously is, during the late nineties, is it really surprising that they've moved on from selling web services they knew nothing about, to IT security and infrastructure?

    Yes, let's take away IT disaster management and network security from the people that have a clue. After all there's money to be made in this malarky, and anyone with a Bachelor of Sales (BS) can be an IT Security expert after 3 months of Learning to use Office night courses.

    What we really need is a bunch of slick salesmen trying grab a piece of the market, selling their snake oil to boardrooms across the country, and eventually destroying the reputation of the few genuine providers of these services.

    Anyone notice that during the so-called dot comm crash, the businesses that actually knew what they were doing, and actually had a product, didn't crash at all? However what did happen was their names were thrown in the toilet along with all the charlatans that cooked up fancy websites to fund their sports cars.

    Now these same people appear to have found a new target, IT security, and their first mission appears to be to take it away from anyone that can point out what they're saying is bullshit.

  8. Sceptical Bastard

    Impartial and important news

    Quote: ""IT risk is too important to be left to IT departments," said Hunter, who has written a book on the subject, entitled IT Risk: Turning Business Threats into Competitive Advantage, which was launched at the Gartner IT security summit earlier this week."

    Biting the hand? Nah, meekly publishing advertising by a consultant (and, as all avid readers of BOFH know, consultants are scum).

    Another day, another press release masquerading as news. Wake up, Vultures! Simon and the PFY would be ashamed of you.

  9. Anonymous Coward
    Anonymous Coward

    @ Chris Stephenson


    As an IT risk auditor, and security advisor, for a big 4 firm I strongly object to your description of my team as financial types who do not understand IT. We have a mixture of ex developers, network designers and managers and sys admins who try to help clients understand what risks they face, and provide practical advice on what can be done to manage them.

    I could equally cast another stereotype about most techie people not understanding the difference between a balance sheet and a cash flow statement, however, like your statement would be a generalisation and disingenuous.

    It is important to recognise that there are different reasons for carrying out work like this and if the audit is being done to assess the risks of a material misstatement occurring in the financial reports of an organisation the auditor is unlikely to look into external threats from users with “l33t skillz”. Having said that, your jobs-worth attitude to risk “if they are auditing my systems I may be unwilling to point out thier [sic] oversights” shows the contempt with which you hold your organisation’s risks, and perhaps demonstrates why you should be audited more rigorously and regularly than most.

  10. Raheim Sherbedgia

    Damn Right

    IT risk is too important to be left to IT departments? Absolutely correct.

  11. Anonymous Coward
    Anonymous Coward

    What kind of risk???

    There is no such thing as IT risk. All risks should be regarded as business risks. The threats may present themselves through the IT systems and infrastructure, but the risk is to the business and should always be regarded as such.

    I agree with others in this thread that it is time that business woke up. For the vast majority of organisations the role of IT is to support the business in delivering its objectives. I am constantly amazed how may companies see business continuity as an IT issue - the clue is in the first word "business". IT disaster recovery has an important part to play in supporting the recovery of the company, but the focus must always be on the business and what it needs to achieve.

    The IT director on the board is a good idea, as long as he is able the explain how threats to the IT systems and infrastructure would have an impact of the organisations ability to operate, rather than the impact on IT.

  12. Jason Scrutton


    IT risk is much more simple, it is about (in IT terms) what COULD go wrong (and is worth tracking, as most risks are not) - i.e. will it get in the way of achieving your objectives?

    And naturally the organistions' objectives are well defined and everyone who should do understands them...

    The board should know what they aim to achieve, and have a better than evens idea of what is likely to go wrong.

    IT is important, but it is just a tool that may contribute to achieving strategic objectives, if isn't that, it is usually a waste of capital and lots of overhead.

    And whoever defined Northern Rocks' 'commercial strategy' knows less even about basic finance than they do about risk!

  13. Chuck Jones, ChoicePoint

    ChoicePoint Responds

    You wrote in this article that “ChoicePoint's reputation was thrashed by the 2006 breach which made it the ‘poster child for ID theft,’ ” attributing the quote to Gartner group vice-president Richard Hunter.

    To be completely objective, I’m sure you will also want to publish at least some of the comments contained in an independent report that Mr. Hunter’s employer, Gartner Research, issued a year ago on this same topic.

    “ChoicePoint transformed itself from a ‘poster child’ of data breaches to a role model for data security and privacy practices,” begins the report, written by Mr. Hunter’s colleague, Avivah Litan.

    In the introduction to her case study, Ms. Litan wrote: “ChoicePoint has now become a role model for protecting customer data privacy. To find out how ChoicePoint managed this turnaround, Gartner spoke with key players involved in this project.”

    So you and your readers can fully appreciate the ChoicePoint turnaround, the full text of the Gartner report is available at:

    Thank you.

  14. Michael Schwarz

    Information Security and the IT Department

    The Official (ISC)2 Guide to the CISSP CBK addresses the issue of where the Information Security function should be placed within the organizational hierarchy. It considers the pros and cons of various reporting models, including reporting to the IT Department and reporting directly to the CEO, as well as other models. It makes no overall blanket recommendation, since each approach has drawbacks as well as advantages, and the best fit really depends on the type of company.

    The main disadvantage of placement within IT is the potential conflict of interest this can represent (e.g. "if they are auditing my systems I may be unwilling to point out their oversights"). The IT emphasis on maximum features and functionality at minimal cost, usually working to a tight schedule, can easily deprecate security considerations. Regardless of where it is placed within the organization, Information Security requires the full attention, commitment and support of the highest levels of management.

    Here is an alternate version of the contentious quote, taken straight from the Gartner website: "IT risk is too important to be delegated entirely to the IT organisation." Well, I don't think you can argue with that. Risk awareness should be instilled in all employees across the enterprise, and everyone needs to take personal responsibility for security, rather than passing the buck by claiming that it's merely an IT issue. Hunter also correctly stresses that risk should be managed not eliminated, and that Information Security exists to support that business goals of the organization and must be justified on a cost-benefit basis.

    I am less convinced by the assertion that availability trumps the other risk management objectives. It is certainly critical, particularly for applications such as e-commerce or SCADA, but I can think of plenty of organizations where confidentiality is (or should be) at least as important if not more so. TJX anyone?

This topic is closed for new posts.