A New View of Risk

IT security historically was a low priority. Only now are firms approaching the risk associated with their technology infrastructures as a business-critical initiative with substantial bottom-line implications and devoting greater resources to their maintenance.

Why It's Important: Senior management finally is embracing the idea that maintaining the integrity of their businesses' infrastructures is a paramount contributor to mitigating security, operational and compliance risk -- a business has to be able to defend against threats to its technological foundation. With federal regulation imparting executive-level responsibility for faulty business processes, coupled with the rise in electronic threats, the people responsible for risk management on the Street are reexamining IT and how infrastructure security best practices can impact the business.

Where the Industry Is Now: IT risk management projects typically have been isolated, with a "dash of firewall here and a pinch of intrusion detection there" mentality. This has created a legacy of software and service silos, which, through their attempt to manage threats individually and their lack of integration, struggle to keep infrastructure integrity under wraps and result in an exorbitant cost of ownership. Additionally, firms often do as little as possible to meet regulatory standards as a result of constantly changing rules, lack of clarity and perceived over regulation.

Firms are beginning, however, to understand the implications of failure to secure their businesses comprehensively. Not only can a data security breach or compliance failure result in monetary losses, it also can cause damage to a firm's reputation. Further, there seems to be a collective realization that the most effective way to avoid regulatory pain and penalty is to stay ahead of the game. Basel II, Sarbanes-Oxley and the European Union's Markets in Financial Instruments Directive have initiated the movement toward a holistic business culture of operational efficiency and compliance.

Focus in 2006: As this holistic view of IT risk management moves into focus, technology professionals will reap the benefits. CIOs can expect to have a somewhat easier time arguing a business case for security, operational and compliance technology initiatives as fear of accountability and brand damage will continue to run high. Additionally, new, specialized positions will pop up with executives assigned specifically to manage IT risk. Chief Technology Officer, Chief Security Officer and Chief Risk Officer are titles that will find their way onto more business cards in 2006, with even-more-specialized technology risk and control positions just around the corner.

Industry Leaders: The biggest players have the most complicated systems, and it's no surprise that it is the major firms that are trying to mitigate their IT risk most aggressively. JPMorgan, the investment banking division of JPMorgan Chase, has been working to control technology operational risk for nearly a decade. The firm has a team of more than 50 people assigned to implementing control programs and maintaining an enterprisewide view of risk across the IT infrastructure.

Technology Providers: Successfully managing IT risk involves the integration of a variety of operational, compliance and security technologies, for which firms are looking for a one-stop shop. Vendors offering universal threat-management solutions covering the spectrum of IT risk include Cisco, Nortel and Symantec.

The Price Tag: Deploying technologies, removing legacy systems and staff training are just a few of the costs associated with the new risk-mitigation movement. To change the risk mitigation mind-set across the enterprise, JPMorgan has incentivized operational controls. Individuals are compensated for employing appropriate controls and addressing inefficiencies or areas of risk in the IT infrastructure. <<<