Managers Overlook Implications Of Security Failure

Understanding operational risk has gained increasing importance as financial institutions evolve towards 24/7 service delivery and respond to the growing demands of financial regulations, from BASEL II in Europe to Sarbanes Oxley in the US.

In tandem, there is a growing awareness of the role that business continuity and availability (BC&A) can play in mitigating operational risk. According to recent research undertaken by HP, the vast majority of respondents, primarily senior personnel within the banking sector, believe improving BC&A is very important, even essential, in improving operational risk. As one Operations Manager said, “If our customers are the foundation of our company, improving service continuity and Availability will improve operations as well.”

Furthermore, there is strong recognition of the key areas of potential business risk: from compliance and improved governance to the protection of key data, service availability and operational efficiency. Indeed, the business process identified as most important to maintain is the delivery of customer service.

However, while many of these business managers demonstrate clear understanding of the potential for major disaster, few show any real understanding of the day to day risks associated with ensuring consistent business operations. Indeed, only one Operations Director demonstrated real understanding of the challenges associated with managing corporate risk. He said, “Risk monitoring is always challenging because there are always new threats you have to look out for.”

Indeed risk events range from low to high frequency and low to high impact. And most managers have a traditional view that BC&A covers the low frequency, high impact disasters through company wide disaster recovery plans, and the high frequency, low impact problems such as power outages or network failure. This completely overlooks the high frequency, high impact incidents of security lapses.

Yet good security underpins every aspect of corporate business: from regulatory compliance and controlling access to resources to constructing a trustworthy infrastructure and countering threats. How, for example, would the organisation meet its customer pledges for service delivery if secure sign on solutions to control access for both employees and customers fail?

In a highly mobile environment, threats are not just external – they come from disgruntled employees, those using laptops, PDAs even wireless networks to gain access to sensitive, often customer, information. At the same time, no organisation can improve governance without an excellent security infrastructure that reflects business specific threats, vulnerabilities and corporate objectives.

Business managers need to understand the implications of security on the delivery of key services. Turning to an external supplier for risk and business impact analysis is key to gaining that insight and bridging the obvious gap between business and IT goals to minimise operational risk.