It was the best of times, it was the worst of times. The opening line from Dickens' A Tale of Two Cities seems appropriate to describe the current situation in IT risk management.
The worst of times: unless you've been living in a cave, you're aware of several recent high-profile cases where mismanagement of IT risk has caused organizations great pain. Some of the significant cases include identify theft at ChoicePoint and the database security breach at LexisNexis.
The Bank of America has had its brand tarnished by IT security woes. It seems that just about every day, some corporate stalwart finds itself in the national media spotlight over the mishandling of customer and corporate data.
And let's not forget about widespread phishing attacks at major banks. Isn't this series of events a crushing blow to the battered image of IT? While such IT security breaches are certainly unfortunate (and often preventable), they are valuable to the IT industry because they provide real-life examples of how interlinked IT and business have become. In particular, these breaches of IT security and mishandlings of customer data serve as a much-needed wake-up call to business leaders who believe they can cut IT budgets to the bone with no discernable impact on their operations except for healthier-looking bottom lines.
Just as the accounting scandals at companies such as Enron focused corporations on compliance and financial propriety, these mishaps could bring the importance of the information management discipline to the forefront. In many organizations, this would be a welcome change.
For the past few years, many CFOs and CEOs have been systematically squeezing IT budgets -- believing there would be no downside to their actions. Specifically, they have stripped IT budgets to the point where there are barely enough resources to keep the infrastructure and applications running -- never mind supporting efforts to minimize IT risk. I believe that the recent flurry of IT risk problems is partly a result of that. IT departments are so strapped right now that they have neither the time nor the resources to initiate the kinds of measures that could have prevented many of the recent IT risk debacles. Clearly, IT can't be seen as completely blameless in these incidents, and we all need to think long and hard about how we manage customer information. I cast more blame on the bean counters here than on IT, however. In their quest for more profits, these top executives have sold IT short. They have also failed to realize that IT risk and business risk are one and the same.
My advice to IT managers: get your IT risk house in order. While you're at it, use these painful and dramatic lessons to paint a vivid picture for top executives of what happens when they continually squeeze IT budgets. Then give them the information they need to make the right decisions. It's sad to say, but your message is more likely to resonate now that a number of highly visible companies have suffered.
Barbara Gomolski, a former Computerworld reporter, is a vice president at Gartner where she focuses on IT financial management