What are some ways to use both major and minor incidents as opportunities to identify and address weaknesses in your organization's risk management processes?

1.6k views3 Comments

Sort by:

VP, Enterprise Solutions & Digital Services Delivery in Software10 months ago

Ideally, a lot of this comes to light during the drills you conduct. You should be testing for both minor occurrences and major outages, as well as everything in between on the disaster scale. The challenge becomes deciding on your approach to vendor selection. You can either take the best-of-breed approach, selecting different vendors for specific needs like CrowdStrike for endpoint security, Cisco for network, and Fortinet for VPN, or you can consolidate and pick one trusted partner. Each approach has its benefits and risks. For instance, a recent issue with CrowdStrike made us question if we should stick with our current approach or reconsider our vendor strategy. Even with reputable companies like SolarWinds, CrowdStrike, or Microsoft, which have deep R&D investments, it can be challenging to decide on the best path forward. With up-and-coming startups, we often conduct thorough code reviews and access their IP, but this level of diligence isn't always feasible with established firms.

Worldwide Strategy & Portfolio, Cross Industry (Supply Chain, ESG, Engineering, Customer Experience, Intelligence Automation, ERP) in Manufacturing10 months ago

From an iterative governance standpoint, any disruption, whether large or small, should involve collaboration between the business and IT teams to understand where we missed the mark. It's about learning from the incident and integrating those lessons into our disaster recovery plan. The key questions to ask are: What didn't work? What should we keep doing? What should we stop doing? And wha

CxO10 months ago

There are many facets to consider. Reflecting on my experiences with JP Morgan Chase and a large nonprofit, the approach to risk management can vary significantly depending on the organization. In financial services, the urgency and level of scrutiny are much higher compared to other sectors. Risk management involves how issues are handled, communicated, escalated, and how bad actors are identified. These processes differ across industries and organizations. The opportunities lie in having a well-thought-out plan from start to finish, with strong stakeholder involvement and support for when issues, attacks, or outages occur.

Content you might like

Which cybersecurity metrics do you currently use with your board?

We use Microsoft PowerBI extensively at the company. Over 15,000 reports.
For our "corporate" reports, like financials or HR, we centralize those requests and attend them with my team.
We currently "extract" information from multiple systems (ie. SAP, SuccessFactors, CRM, etc...) and put in into a SQL Analysis Services. For interpreting the data we have a Semantics model in PBI.
The problem I see is we can't scale enough to comply with the reporting demands as the semantic model is "unique" and we end up having only one or two developers that can work at a time.
Anyone has an idea how to scale their PBI teams without having to redevelop the semantic model per report?

As technology leaders, where are you seeing the most challenges or gaps?

Executive Support10%

Projects vs. Operations68%

Building a culture of Security15%

Team Completeness5%

View Results

If you could change one thing about how your organization initially implemented its hybrid work structure, what would it be?

What's your most indispensable cloud infrastructure tools to use in addition to what you get from GCP, AWS, Azure?

HashiCorp (Terraform, Vault, Packer, etc.)22%

Cloud infra automation (Ansible, Puppet, Chef, etc.)56%

APM (Datadog, AppD, SignalFX, NewRelic, etc.)10%

Others?10%

View Results