This article first appeared on Forbes.com Jul 22, 2020, 01:44pm EDT
During the past four months, the business world has woken up again to the reality of reacting quickly in a fast-changing environment. Some of these shifts in operations are obvious, such as remote work and limited travel for conferences and meetings. Other risks have emerged, though, that are less obvious. IT security concerns, for instance, have increased dramatically and are shifting in unpredictable ways that require us to take on new tactics to prevent data theft, malware and extortion.
In the past, companies commonly reviewed their “registry” of IT risks on an annual basis. Essentially, they checked off the boxes to pass SOC 2 Compliance, which outlines the criteria to manage customer data in five areas: security, availability, processing integrity, confidentiality and privacy. This is where two-factor authentication, encryption, firewalls and quality assurance controls come into play. Companies must pass these requirements and be “SOC 2 Certified” to sell products and services to others.
Today, that’s not enough. The pandemic has accelerated our reliance on work-from-home software and go-to-market digitization efforts, and companies need to shift quickly to address new attacks. The old methods of risk assessment are now as passé as client-server technology from the 1990s, and gone are the days when we can simply plan for next year’s IT risks.
To tackle these rapidly-changing risks, we need to adopt the same agile methods that technology companies have used for more than 20 years. Incorporate these six principles into your IT risk strategy so you’re ready for the new threats to come this year:
1. Track your company’s new opportunities and threats.
I remember the dot-com crisis of 20 years ago. There was an incredible opportunity to digitize everything, but we didn’t know exactly what to build, and following last year’s plan simply didn’t work. The companies that were successful knew how to react to the risks of the day. They didn’t follow a grand plan. They continually assessed risks, acted quickly to manage those risks, and they survived.
Similarly, we’re living in a world of rapid changes. Take a quick inventory of the new strategies you’re adopting — such as work-from-home plans or accelerated online sales — and identify the threats that are associated with them. For instance, you need to understand how data is collected, stored and secured and what role you play in that. Add these to your risk list and ensure that you address them, not ignore them.
2. Review your risks monthly.
We’re seeing an increasing number of attacks online, and the threats that overwhelm us one week are not the same that crop up next week. You need an up-to-date list that accurately corresponds to the new opportunities that you’re pursuing and the new software you’re using. It’s no longer adequate to do this annually, when the pace of adopting digital tools and sales systems was much slower. Instead, I recommend a monthly review, even bi-weekly, if possible.
3. Re-prioritize last month’s efforts.
As you review your risks monthly, it’s just as important to deprioritize issues that are less relevant as it is to add new ones. The threats from last month may no longer be as urgent, which happens often now, so you should reduce efforts in these areas. The latest attack tactics are always changing, and your company can (and should) be dynamic in its response as well. Be ruthless about focus.
4. Pick your top 5 risks.
If you try to tackle all of the potential IT risks out there, you’ll quickly become overwhelmed. Add all of the relevant possibilities to your list, of course, but highlight the top five that will cause the most threat and harm to your business. Then implement the steps that will make progress on those priorities before putting much effort on items down the list. If you try to tackle 50 risks, you won’t get far on any of them, so focus on your top 5.
5. Do weekly check-ins.
Touch base with your top risk owners, even if a quick regular chat through an internal messaging app. That will keep those risks top of mind. Promise that the check-ins will stop once the risk leaves the “top 5” list, which will remind busy colleagues that risk is a top priority. During these regular checks, ask three questions: “What progress has been made the prior week? What actionable steps will be accomplished this week? Are there any blocks or barriers that need support?” This simple and vital communication will create significantly more progress than if you wait for a report just before the next board of directors meeting. Don’t wait, or it’ll be too late.
This final agile principle seems obvious, but it’s often the most difficult step to turn into a habit. When companies face an IT issue that compromises data or affects sales, they’ll double-down on risk management in the short-term, but it often devolves into complacency again in the long-term. These new threats aren’t going away, and in fact, they’ll continue to increase as we ramp up more digital processes through the rest of the year. Create your sustainable plan by making it a core priority and implementing the review process as part of your team’s monthly and weekly tasks.
Ultimately, the responsibility of risk rests on your company’s shoulders, and now is the time to schedule regular checks for new threats. You’re in a great spot to capitalize on the rewards of our renewed acceleration toward an online and digital world, and part of that process includes managing IT risks quickly. If you implement agile principles to address those risks, your company will make better decisions in an uncertain future.