ITIL 4 Information security and risk management practices: embedding safety culture and behaviour

26 Mar 2020 01:09 PM

Blog posted by: Radoslaw Gnat – Information Security Expert, GSK, 26 March 2020.

Cartoon graphic images of ITSM practitioners assebled around giant screen with secure padlock and network of linked images of icons including shopping basked and credit card

How well prepared are organizations for information security and risk management in an increasingly cloud computing-based world that is also volatile, uncertain, complex and ambiguous (VUCA) ?

The rush to use cloud services sometimes means organizations are not thinking fully about the risks. Thinking that “it’s in the cloud, therefore it’s safe” is wrong, though vendors may claim it is.

This is why it’s important for ITIL® 4 to have dedicated management practices for information security and risk management; helping enterprises to create healthy cyber behaviours and ensure all employees are involved. It’s also important that external suppliers embrace these best practices to manage overall risk.

Balancing security and freedom to innovate

Both information security and risk management are everyone’s job in the organization.

In high-velocity IT environments, development teams are operating with agility and multiple, regular changes. However, once they embed healthy information security behaviours, risk management becomes basic company culture and poses no problem to innovation.

This supports the ITIL 4 service value chain, ensuring that everything the organization is doing to co-create value for customers is secure at each point in the chain.

The information security management practice helps people understand the boundaries to work within and tools for solving specific product functionalities for the customer, such as anti-virus, malware protection and supplier access.

And, ultimately, it’s possible to achieve the cyber security maturity model:

Balancing risk management and innovation

If an organization’s risk appetite is communicated effectively from C-level, then it becomes the standard approach and shouldn’t inhibit innovation.

ITIL 4’s risk management practice demonstrates that, on a daily basis, we are exposed to different types of risks; this means leaders need to nurture both culture and behaviour to minimize risk while, at the same time, co-creating value.

Having a clear approach through the management practice enables organizations to identify risk, know how to address it and repeat this process.

A major factor highlighted in ITIL 4 is the need to embrace change: what is best for an organization in a VUCA world and how to adapt to the anxiety that comes from the continuous cycle of change.

For this, enterprises need to develop the culture and behaviour among their people to be secure but also to give them the confidence to make mistakes and the ability to fix and learn from them.

Read Radoslaw Gnat's previous AXELOS Blog Post, ITIL 4 – supporting everyone in today's organization.