Participants discussed their experience and came up with a series of best practice tips for IT leaders to focus on to develop their own plans to protect and secure the business:

Back to basics

Risk management is all about going back to basics ­ which, in turn, is all about inclusion and a holistic approach. As we are sharing information, we’ve got to be careful to create a balance and not to add too much control that might stop the desire for innovation.
Colin Windsor, chief information officer, Openreach

I think the holistic view is crucial ­ we need to consider people, process, technology and governance in combination. We’re constantly struggling with human nature and the issues surrounding new social networking technologies. Each individual will look at risk from their own individual view point. It is essential we get ownership right and the people marshalled so the right rules are in place.
Tony Marshall, interim risk manager working for central government

People need to learn. If individuals begin to care enough for their own data, then maybe more people will care about business information.
Ray Stanton, global head of BT’s business continuity, security and governance practice

Leadership

The buck stops with the board. If we are going to address IT and data security, we have a duty to make sure the board is aware and that they have decided on the monetary value of information. The board needs to tell us what they want to protect so that we can implement the right tools to address the business elements of risk.
Amir Mohazab, head of IT, Protiviti

We’re talking about the ability of IT to influence the business ­ and we need to consider whether IT has a high enough profile. Are IT directors actually on the executive board of companies? Traditionally, the board representation of IT is not all that it might have been ­ and that is often still the case today.
Paul Graham, partner, Dundas and Wilson LLP

Education

The IT industry has a propensity to beat itself up when it comes to security problems and to take on business-related problems. We’re basically talking about human failings ­ and that brings us back to issues of process and the correct training of individuals.
Richard Stephens, principal, Lors Online

Effective risk management is all about education and leadership. We need to concentrate on the actions of individuals, which can cause a security breach and a loss of information. As has happened with security and virus control, we’ve got to start putting out some simple messages and educate the people so that risk management is ingrained into the culture.
Peter James, chief information officer, Achilles Information Limited

Risk is a threat that runs through a public sector organisation and we sometimes don’t analyse the processes correctly. Organisations can become complacent with regards to staying refreshed with key issues and disseminating information to staff. The high-profile data loss incidents have shown to public sector staff that they need to tighten their processes to ensure such incidents do not happen again. We must say that we have learnt a lesson and move forward.
Kash Akram, director of business development, Cromwell College of IT and Management

People and processes

Risk management is all about people and processes ­ and technology is only the final part. We’re probably pretty good at learning, but we’re not very good at the training and development because we’ve always got something else to learn. Such an approach means you never actually develop the best practice within the business. We just need to create an effective balance between the business and IT, because business actually has an appetite for risk ­ and that is how it gets a competitive advantage.
Que Tran, IT solutions director, Synovate

Without good risk management, you cannot work out the best way to allocate your resources. You cannot terminate all risk, obviously ­ and you need to manage it. Without undertaking a process of quantifying the risk, it will be impossible to work out which areas you should focus on.
Mark Hughes, director, BT Group security

Roles and responsibilities

Roles and responsibilities really need to be clear ­ and responsibility for risk within the business can’t possibly be with IT. If you address the risks that you can foresee, you will also be addressing most of the risks that you cannot foresee. So, just be active in managing risk.
Kevin Davies, head of information strategy and policy, Highways Agency

As the executives of the business, I think we’ve got two responsibilities. One is to make the business aware of the risk in terms of compliance, governance and measurement. When we go to our business colleagues, we always complain that they cannot tell us what they want. Well, we need to help them tell us what they want. Second, we have a duty as managers to implement the right processes to mitigate some of the risk.
John Wishney, interim executive director

Managing risk: http://managing risk.computing.co.uk