By Dana Morrison, Auditor, Carolinas IT
Before purchasing our house, I acquired a home inspector to go through our would-be home. He checked our roof, attic, heating and air, crawl space, deck, moisture levels, and probably hundreds of other things. Our home inspection report detailed many items that needed to be resolved, but fortunately, few were significant.
One primary concern existed in our backyard. It was a huge pine tree that had a threatening lean toward the house. When thinking about the potential risks that might affect the tree (strong winds, storms, etc.) and given its ability to perform substantial damage to our house, or maybe the neighbor’s house, it was obvious to us that the tree needed to be removed.
Though there was a discussion about how the tree might affect shade in the summer and the layout of the backyard, these concerns were minimized by the risk itself. A huge tree that had the capacity to inflict many thousands of dollars worth of damage was not a risk I considered acceptable. So, we hired a company to perform the tree removal. The removal company brought in a crane and in a matter of 3 to 4 hours, the threat was completely removed.
In thinking about the process of purchasing and protecting our home, I’m drawn to the similarities of auditing Information Systems. A home inspector provides a risk assessment which is based on his wide experience. A potential home buyer, or owner, weighs out the risks as outlined and makes a determination to take action.
Inaction would simply be risk acceptance. Risk transfer might come in the form of insurance (like fire or flood insurance). Risk avoidance might be a conclusion that there are things you won’t do, like light a fire in a fireplace that has a damaged chimney. Risk mitigations may be proactive approaches to risk, like hiring quality pest exterminators.
In my example, risk mitigation might be removing the heavy branches over the roof to reduce risk. However, we went with risk avoidance. Removing the tree completely eliminated the risk that the tree would fall on the house seemed like the best choice.
Now, it is one thing when we discuss threats that directly affect our domain. That domain, being our home, our immediate family, the well-being of our neighbors, and the personal financial investment of our hard-earned dollars. But, I fear that it is something entirely different when we consider risks in our workplaces.
I don’t want to paint the picture that no employee wants to deal with risks, but I think many of us would agree that when it comes to certain risks in the workplace, we turn a blind eye to the risk as we fear that addressing risk will cost us extra time and resources that we simply do not have. Especially in IT. IT Departments are incredibly busy places. IT touches most, if not all, aspects of the business.
Everyone continues to walk by the tree and pretend the problem isn’t there. Some managers and co-workers might stand around saying things like, “that might eventually be a problem and needs to be fixed” and very few will have the where-with-all to take action.
I think there’s an equation for this:
This formula assumes that some risk is understood by the employees. When the action is less than or equal to zero, nothing will happen. Action will stay at a stand-still. As risk increases and fear decreases, the potential for action becomes greater. Planning can be a powerful offset for fear and can greatly further the potential for action.
But, if the potential for action is positive, things still might not change. There are a mess of variables not included here. Like resources, motivation, change management, leadership, and I’m sure many more. However, if we can start to understand that potential for action can be increased, then maybe we can plan and educate in a manner that both minimizes fear and helps employees get onboard with an improvement plan.
How? That’s the real question, right?
The world of IT has changed. It used to be a “do it yourself” technology world with many IT Departments forging ahead on new fronts and making discoveries. The world of technology is bigger than any one department. The threats are increasing. Don’t allow yourself to get sucked into the notion that “I can do it by myself.” When was the last time you heard about someone stopping threats on a consistent and regular basis and doing it single-handedly? This is a collaborate world and team-driven dynamics have been proven repeatedly to make the improvements that the next generation of IT will require. There are numerous books that speak well to this point:
- SCRUM by Jeff Sutherland
- The Phoenix Project by Gene Kim
- Meltdown by Chris Clearfield and András Tilcsik
- Red Team by Micah Zenko
Teams work! Companies like Carolinas IT are here to help.