1 / 74

Extreme risk - how bad tech mgmt destroys firms

Slideshow about Extreme risk - how bad tech mgmt destroys firms by Eric Tachibana

selenasol
Download Presentation

Extreme risk - how bad tech mgmt destroys firms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 10 WAYS poorly managed tech Extremerisk Can destroy your company

  2. dude, failing to manage IT risk is serious

  3. you might have to stop doing business altogether stolen data can be used against your customers the press may have a field day on you it will be even worse in social media you could lose critical assets employees or directors could go to jail competitors may learn your secrets you may have to pay fines the trust you've built into your brand may disappear IT can be extremely complex & opaque, may require very specialized skills and changes very, very fast

  4. and just cause you’re a small, nimble start-up does not give you license to be sloppy (especially if you hope to pass exit due diligence)

  5. here are 10 obvious, but common, mistakes to avoid…

  6. 01 Lack leadership mistake

  7. 01 Lack leadership Leadership must understand the strategic importance of technology risk management They must also be involved with decision-making and communicate like crazy mistake

  8. 01 Lack leadership Leadership must put in place a technology risk management (TRM) framework that includes the right culture, policies, standards (enterprise requirements), & control procedures They must also be responsible for communications & the quality of firm wide execution mistake

  9. 01 Lack leadership Leadership must get the right people, in the right roles, at the right time, with the right training mistake

  10. 01 Lack leadership Leadership must ensure that risks are identified and prioritized by likelihood and severity mistake

  11. 01 Lack leadership Leadership must identify control gaps, prioritize and budget for remediation, & monitor projects to close them mistake

  12. 01 • Lack leadership • Leadership must approve & track exceptions mistake

  13. 01 Lack leadership Line managers must be engaged & accountable for TRM TRM must not be seen as red tape. It must be seen as a core job function of a technology manager (and disciplined/rewarded as such) mistake

  14. 02 Lack trm framework mistake

  15. 02 Lack trm framework A TRM Framework must protect data & IT assets from unauthorized access or disclosure, misuse, and fraudulent modification mistake

  16. 02 Lack trm framework A TRM Framework must ensure data confidentiality, system security, reliability, resiliency, & recoverability mistake

  17. 02 Lack trm framework A TRM Framework must define roles & responsibilities mistake

  18. 02 Lack trm framework A TRM Framework must identify & prioritize IT assets mistake

  19. 02 Lack trm framework A TRM Framework must identify & assess impact and likelihood of operational & emerging risk including internal & external networks, hardware, software, interfaces, operations, and human resources The firm must also have a mechanism to identify risk trends externally mistake

  20. 02 Lack trm framework A TRM Framework must methodically & regularly inventory and prioritize risks, controls, exceptions, and gaps mistake

  21. 02 Lack trm framework A TRM Framework must be updated regularly mistake

  22. 03 Lack partner oversight mistake

  23. 03 Lack partner oversight IT provided or supported by partners must be in scope & leadership must fully understand outsourcing risks Outsourced IT infrastructure is still part of your TRM. You can’t wash your hands of it * Provision or support includes system development and support, DC ops, network admin, BCP, hosting / cloud and can involve one or more parties in or out of country mistake

  24. 03 Lack partner oversight Proper due diligence must ensure viability, capability, reliability, & stability of vendors mistake

  25. 03 Lack partner oversight Written contracts must define expected risk-related service levels, roles, obligations, & control processes in detail They must also be reviewed regularly *For example, performance targets, service levels, availability, reliability, scalability, compliance, audit, security, contingency planning, disaster recovery and backup mistake

  26. 03 Lack partner oversight A Service Level Management Framework such as the IT Infrastructure Library (ITIL) must ensure continuing, monitored controls compliance mistake

  27. 03 Lack partner oversight An exit / backup plan must be in place to switch partners if required mistake

  28. 04 Lack portfolio management mistake

  29. 04 Lack portfolio mgmt The entire technology portfolio/platform must be managed through it's lifecycle The business must be engaged with portfolio strategy as a key stakeholder mistake

  30. 04 Lack portfolio mgmt Enterprise architecture strategy must be supported by accurate & accessible MIS and asset management data mistake

  31. 04 Lack portfolio mgmt Leadership must define, document, & communicate the target state platform mistake

  32. 04 Lack portfolio mgmt A professional Project / Change Management Framework like Project Management Body Of Knowledge (PMBOK) or ITIL must guide change from current to target mistake

  33. 04 Lack portfolio mgmt A professional Quality Management program should ensure quality of build and operate For example, a documented software development lifecycle (SDLC) should effectively guide development& code quality mistake

  34. 04 Lack portfolio mgmt There must be strong testing & code review controls mistake

  35. 04 Lack portfolio mgmt IT Acquisition must be strategically aligned mistake

  36. 04 Lack portfolio mgmt Technology exit planning must be explicit & tracked mistake

  37. 05 Lack service management mistake

  38. 05 Lack service mgmt Ongoing IT operations must be guided by a Service Management (SM) Framework like ITIL mistake

  39. 05 • Lack service mgmt • The SM Framework should cover: • Change Management & DevOps • Release & Deployment Management • Capacity Management • Incident Management • Problem Management • Source Code Control • Asset Inventory & Config Management • Backup & Recovery mistake

  40. 06 Lack recoverability mistake

  41. 06 Lack recoverability The firm needs a realistic, business-prioritized, strategically-aligned & simple business continuity plan (BCP) that ensures reliability, performance, scalability, availability, and recoverability mistake

  42. 06 Lack recoverability The BCP should identify critical systems (those that must not go down) as well as recovery point objectives (RPO) and recovery time objectives (RTO) to guide restoration service levels mistake

  43. 06 Lack recoverability The disaster recovery plan should cover multiple scenarios, expose dependencies, & be tested regularly mistake

  44. 06 Lack recoverability Backup management must ensure that IT assets can be recovered as soon as required, depending on priority & that dependencies are understood mistake

  45. 06 Lack recoverability There should be a Communications Plan defined in advance to deal with various scenarios mistake

  46. 07 Lack data security mistake

  47. 07 Lack data security You must protect data, hardware, software, and networks from accidental or intentional unauthorized access or tampering by internal or external parties mistake

  48. 07 Lack data security You must identify levels of data sensitivity and ensure escalating levels of protection based upon the significance / priority of risk. mistake

  49. 07 Lack data security You must have end-to-end data protection such as encryption when you are dealing with confidential data Your controls / standards must be in force wherever your data is stored or transmitted mistake

  50. 07 Lack data security You must properly dispose of assets that hold confidential data mistake

More Related