Learn to use AI like a Pro. Learn More

New IT Risk Assessment Framework (How Information Technology Keeps the Organization Safe)

Estimated read time: 1:20

    Learn to use AI like a Pro

    Get the latest AI workflows to boost your productivity and business performance, delivered weekly by expert consultants. Enjoy step-by-step guides, weekly Q&A sessions, and full access to our AI workflow archive.

    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo
    Canva Logo
    Claude AI Logo
    Google Gemini Logo
    HeyGen Logo
    Hugging Face Logo
    Microsoft Logo
    OpenAI Logo
    Zapier Logo

    Summary

    In this video, Steve Murphy, Vice President at ARG, discusses a new framework for conducting IT risk assessments. He emphasizes the importance of integrating risk assessments into a SWOT analysis for a more comprehensive understanding of an organization's IT operations. By adopting this approach, organizations can better address threats, weaknesses, and opportunities for improvement in their IT strategies. The video also highlights the need for frequent risk assessments, data gathering, and effective communication with stakeholders to ensure the continuous alignment of IT security measures with organizational goals.

      Highlights

      • Steve Murphy introduces a new IT risk assessment framework. đź“Š
      • Importance of integrating risk assessments into SWOT analysis. 🔍
      • Frequent assessments needed due to rapidly changing environments. 🔄
      • Data gathering should precede risk identification for accuracy. đź“‹
      • Effective communication with stakeholders ensures support and alignment. 🤝

      Key Takeaways

      • Integrate IT risk assessment into a SWOT analysis for better insights. 🔍
      • Frequent risk assessments are crucial in today's dynamic environment. đź“…
      • Effective communication with business line owners is key for support. 🗣️
      • Separate hard and soft dollar impacts when calculating risk. đź’¸
      • Use data gathering as the foundation for identifying risks accurately. đź“Š

      Overview

      Steve Murphy takes us on a journey through a modern approach to IT risk assessments, highlighting the necessity of integrating these assessments into a broader SWOT analysis strategy. This method allows organizations to not only identify and mitigate threats but also to leverage opportunities and bolster strengths. It's a strategy that champions continuous improvement and vigilance in the fast-paced world of IT security.

        The video emphasizes that traditional periodic risk assessments fall short in today's rapidly changing technological landscape. Instead, Murphy suggests more frequent evaluations incorporated within a SWOT analysis framework. This proactive stance ensures that organizations remain adaptable and prepared for emerging threats while systematically improving their IT operations.

          Communication is a central theme, as Murphy stresses the importance of engaging with business line owners before escalating to the executive level. By doing so, organizations can ensure that risk assessments are not only technically sound but also aligned with business objectives, garnering necessary support and resources for effective risk mitigation.

            Chapters

            • 00:00 - 01:30: Introduction to IT Risk Assessment In this chapter, the speaker, Steve Murphy, introduces the topic of IT risk assessments, prompted by a viewer's inquiry. He intends to discuss a new framework for conducting IT risk assessments, though he acknowledges that he may not directly answer the viewer's question about choosing the right product for an organization. Steve clarifies that his views are personal and not affiliated with his role as a Vice President at ARG.
            • 01:30 - 03:00: Overview of IT Risk Assessments This chapter provides an introduction to IT risk assessments, aimed at IT leaders who need tools and information to make informed business decisions. It emphasizes the importance of conducting an IT risk assessment—whether in a formal or informal manner—before transitioning to new technologies. The chapter will discuss the definition of the risk assessment process, and what it entails within an organization.
            • 03:00 - 05:30: Coverage Perspective and Framework The chapter titled 'Coverage Perspective and Framework' introduces the concept and necessity of IT risk assessments. It highlights the importance of acknowledging that while it's impossible to eliminate all cyber risks, assessments help in identifying and focusing on the most critical areas that need protection to ensure organizational functionality.
            • 05:30 - 10:00: SWOT Analysis and IT Risk Assessment This chapter delves into the importance of IT risk assessment in identifying and safeguarding organizational assets. It highlights the need to assess what assets exist, their potential damage if compromised, and the effects on business operations. Furthermore, it addresses identifying events that could compromise these assets and evaluating their likelihood, emphasizing the need for protective measures to prevent detrimental outcomes.
            • 10:00 - 13:30: Data Gathering and Risk Profiling This chapter covers the approach to data gathering and risk profiling within an organization. It emphasizes the importance of understanding the assets, systems, and data that the organization holds, and identifies the critical nature of protecting intellectual property. It discusses the significance of assessing resources, with a focus on human resources and relational dynamics, including partner and customer relationships, and their impact on the organization's security posture. It also examines internal processes that enhance security and, at times, may inadvertently compromise it.
            • 13:30 - 17:00: Evaluating Risk Profile In the chapter titled 'Evaluating Risk Profile,' the importance of risk assessments within organizations is discussed. It emphasizes the need for protecting organizational activities while maintaining their functionality. The chapter suggests a shift in perspective regarding the frequency of conducting risk assessments. Traditionally, these assessments were carried out every one to two years. However, the chapter argues that such intervals are too long in the current fast-paced environment, implying a need for more frequent evaluations to ensure both safety and operational continuity.
            • 17:00 - 20:00: Calculating Risk and Communication The chapter discusses the importance of regularly evaluating the risk posture within IT organizations. It suggests the integration of risk assessments into a SWOT analysis. SWOT stands for Strengths, Weaknesses, Opportunities, and Threats. This strategic overview should be part of IT operations, akin to what senior leadership regularly conducts across the business. The recommendation is for IT organizations to have their own SWOT analysis specific to their operations.
            • 20:00 - 21:00: Conclusion and Viewer Engagement In this chapter, the focus is on incorporating IT risk assessment into the SWOT analysis. The threat section documents potential threats and their possible damage, while the weaknesses section outlines known vulnerabilities in IT operations. The chapter begins to touch upon opportunities, likely suggesting areas for improvement or potential growth.

            New IT Risk Assessment Framework (How Information Technology Keeps the Organization Safe) Transcription

            • 00:00 - 00:30 hi welcome back to my channel the topic for today's video came from one of my viewers they asked about looking at it risk assessments we talk a lot about product here but how do you know what product is right for your organization so i don't know that we're going to answer the viewer's question in this because i really want to talk about a new way of doing an i.t risk assessment or a new framework in which your i.t risk assessment can be accomplished hi i'm steve murphy i'm a vice president at arg and while i work for arg this video is my own and does not necessarily reflect the views and opinions of my
            • 00:30 - 01:00 employer this channel is all about giving it leaders tools and information so they can make better business decisions and an it risk assessment is the fundamental process that we have to go through whether formally or informally to decide to make a move into another technology so let's take a look at what i t risk assessments mean and how they might fit into your organization first of all we're going to look at an overview of an it risk assessment just just define the process a little bit we're going to talk about what's covered
            • 01:00 - 01:30 we're going to talk about what a new risk assessment framework might look like and then we'll go through the steps of a risk assessment let's start with a quick overview of it risk assessments first of all we have to acknowledge that there's no way we can prevent all cyber risks from affecting our organization if we were to lock down our environment so tightly that it would be impervious to any cyber risk well we probably wouldn't get any work done so an i.t risk assessment helps us focus on the areas where we need to add
            • 01:30 - 02:00 additional protective measures in order to ensure that the worst doesn't happen to our organization so the i.t risk assessment answers the following questions what assets do i have and how much damage would we suffer if those assets were compromised the next question is how would those compromise of the assets affect our business and then lastly what are the events that could compromise the assets and how likely are those events to happen that's what the i.t risk assessment
            • 02:00 - 02:30 attempts to answer now from a coverage perspective we look at the assets of the organization what systems do we have what data are we storing and what intellectual property are we trying to protect from a resources perspective we have to assess people first and then of course our relationships these are primarily partner relationships or they may be customer relationships and how they affect our security posture and then what are the processes that we have internally that both make us more secure and sometimes compromise security lastly
            • 02:30 - 03:00 what are the activities that we're trying to protect this is essentially the operations of the organization how do we keep operations functional while we're also trying to keep them safe i'm going to suggest that we look at risk assessments differently than we might have in the past typically a risk assessment would be something that an organization would do periodically i've heard one every one to two years you want to do a risk assessment i think that a two-year interval and probably even a one-year interval is way too long in today's
            • 03:00 - 03:30 dynamic environment but something that you would do periodically to evaluate your overall risk posture i don't agree with that i think the risk assessment within the it organization needs to be included in a swot analysis swat stands for strengths weaknesses opportunities and threats and it's a strategic overview of i.t operations it's what your senior leadership is generally doing around the business on a regular basis i suggest that it organizations have their own swot analysis around the it operations
            • 03:30 - 04:00 now the it risk assessment is generally going to be included in the threat category of your swot analysis this is the area where you're going to document where the threats are originating and what damage they could do we're going to have another part of the i.t risk assessment included in the weaknesses area this lays out the known weaknesses and vulnerabilities of the operations of the i.t operations and then in the opportunity section we're going to have elements for
            • 04:00 - 04:30 improvement and how we can address those threats and weaknesses and this is also where you might identify the budget required to make those adjustments to so you can address those threats and weaknesses now this last section is i think the most important reason why you need to have a swot analysis as part of your overall i.t strategy the risk assessment being part of that swot analysis because i think the big achilles heel of a risk analysis is that there are an implicit number of assumptions being
            • 04:30 - 05:00 made about areas in which you're confident a risk assessment tends to be where are the negative elements and it doesn't do a good job of documenting the positive elements a swot on the other hand has a strength section where you can document all the positive elements and those positive elements need to be validated because when we are evaluating risk we tend to be over confident in what we think is safe and by documenting those areas of confidence we can then be
            • 05:00 - 05:30 challenged by others around us as to what we might be overconfident in and at least if something bad does happen within those areas in which we're confident we at least have a source document to go back to that substantiates the level of confidence that we put in those measures so i think a swot analysis is really a much better framework for a risk assessment than a standalone process let's get into the process of actually going through a risk assessment i'm going to reorder the process that i see in a lot of the popular literature out there and i'll give you a
            • 05:30 - 06:00 good example so this step one data gathering is usually the second step and most of the literature that you'll see out on the internet for example in terms of how to conduct a risk assessment step one is usually a risk profiling process where you identify the risks that you believe you're subject to i actually think that's kind of a waste of time because until you've done your data gathering until you know what assets you have and what the status of those assets are you really can't identify risks the only thing that you can really do is guess
            • 06:00 - 06:30 and so rather than guessing i'd rather gather data first and then we can work through a an informed process in terms of determining where we have risks so what does data gathering look like well of course we're going to take an asset inventory we're going to run a vulnerability assessment tool that may be an automated tool that you might have a third party come in and do a vulnerability assessment for you it may be something that comes out of your sim and that and your sim will have other uh analytics that are available to you to help you identify uh the data and and the sources
            • 06:30 - 07:00 of the threats that are coming into the organization are being presented to the organization you might have a third party or you might do your own penetration test to identify some pockets of exposure that you have both internally and externally and then you're going to want to look at your cloud service security tools as well and these are typically newer tools to the organization they may not be as familiar with some of the legacy tools but as our cloud services begin to to
            • 07:00 - 07:30 grow we want to start incorporating those tools into our risk assessment now we want to evaluate our risk profile so in that we identify the threat sources email is a typical threat source for example and then identify the threat events so someone might download a malicious attachment through their email account we then identify the vulnerabilities and predisposing conditions maybe that endpoint hasn't been updated with the latest operating system patch that's a predisposing condition that
            • 07:30 - 08:00 might make that laptop more susceptible or that endpoint more susceptible to um accepting that malware and we want to evaluate the likelihood of this event happening and determine the impact and then lastly we get to the risk so the impact times the likelihood is generally the risk and i like to calculate risk in two ways the first is hard dollar risk so if someone downloads an attachment from an email and it infects their endpoint that endpoint malware propagates through the
            • 08:00 - 08:30 system and ultimately corrupts our inventory system so we can't ship orders for a week that hard dollar impact are the sales that were lost during that down period the soft dollar impact is the customer good will the um the discounts or returns that we might get because our goods were not received in a timely basis and customer sourced it from another from another vendor possibly and the reduction in future orders from those customers those are all soft
            • 08:30 - 09:00 dollar costs that are really hard to quantify but super important for us to understand the overall risk to the business now by calculating the hard dollars in the soft dollar separately sometimes you can justify a a security upgrade project simply from the hard dollar cost and those are usually really easy conversations to have with your finance organization if you need to go to a soft dollar type of conversation because you need more risk associated with the um with the vulnerability to to justify the
            • 09:00 - 09:30 solution those tend to be more challenging conversations with with finance and those responsible for allocating budget and you might need to get your business line owners involved to help just support the the business case and that gets us into the last step of a risk assessment again i said this is going to be pretty high level the last step though is communication and my recommendation is communicate with those business line owners first before we take something to the executive team because the business line owners will understand the context of the threats
            • 09:30 - 10:00 that we're talking about and will help you establish more of that context within your own report and they can also be strong advocates for you within that executive team to help you mitigate some of the risks that you've identified so then you want to take it to the executive team hopefully at some point you get budget allocated unless you're going to want to give regular updates to the organization as to how you are going about mitigating these risks those are the key for communication steps that i would see coming out of a swot or strengths
            • 10:00 - 10:30 weaknesses opportunities and threats that is supported in a it risk assessment type of process as always feel free to reach out for a further conversation i'm always happy to hear from my viewers my contact information is in is in the description of this video and again i'm happy to hear from you at any time if you've got some value on this video i'd appreciate a thumbs up a like and thank you very much for doing that and if you want to return to this channel at your convenience in the future the best
            • 10:30 - 11:00 way of doing that is by hitting that subscribe button that will put my videos in your feed and you'll be able to come back here at your convenience and with that i thank you for your attention and i hope you have a great day