Blooger: Phil Schacter
Over the past several months, I’ve been working with fellow analysts Eric Maiwald, Ramon Krikken, and Trent Henry on a major research effort to understand how IT risk programs are conducted, what inhouse and industry risk assessment methodologies are being used, and what challenges security and risk professionals are facing. This research started with interviewing 19 IT risk program managers and specialists representing over a dozen client organizations. Next, each analyst focused on a specific methodology to understand its capabilities, strengths, and weaknesses. The first four methodologies we examined were: Carnegie-Mellon University OCTAVE, Information Security Forum IRAM, ISACA’s Risk IT Framework, and NIST SP 800-30. Documents covering each of these methodologies, a comparison of the four, and a summary of the risk assessment practices for the interviewed organizations will publish for Burton subscribers over the next couple of months. This research will also be featured in half day sessions at Catalyst in Prague, April 19-22, and Catalyst in San Diego, July 26-30.
The Catalyst experience is unlike any other technology conference, with full days of exceptional presentations spread over four or five rooms. Each half day or full day topic combines the perspective of analyst expert, customer architect/implementer, and industry solution providers. A conversation develops over the linked sessions in the topic track, to build on what’s been said previously, and drive towards some set of conclusions to close out the topic. These conversations continue into the breaks, as IT professionals from other organizations with similar challenges share their experience.
For this year’s Catalyst topic track on risk management, the program kicks off with an entertaining and informative investigation into the myths and realities of risk management, co-presented by Eric Maiwald and Trent Henry. This session also showcases the highlights from the research conducted over the last several months. The next presentation features another Burton expert, Bob Smock, sharing a specific example of using risk score cards. In Prague, representatives from HSBC and Munich ReInsurance will separately present their perspectives on IT risk assessment. Customer speakers for San Diego are still in the selection process. Finally, the topic wraps up with Burton’s Jack Santos sharing his insights into how to communicate with executives about risk.
There’s still time to signup to attend either of these upcoming Catalyst events and I hope to see you there. For more information see the Burton Catalyst site.