When it comes to managing and mitigating technology risk, IT teams have traditionally relied on operational, control-compliance approaches focused on information security. The rest of the business, meanwhile, has probably adopted broader, business-focused risk management frameworks. This disconnect can sometimes inhibit IT leaders’ ability to effectively articulate technology risk to business stakeholders, which can impact investment decisions.
For effectively managing IT risk, there’s room for both approaches, because there are benefits found in each method.
One of the key benefits to a control compliance approach is the increased understanding and awareness gained regarding low-level control deficiencies that are present within the technology estate. As we can see from the various successful backdoor entries across industries, it is often an unpatched system or a minor configuration error that enables a hacker to gain entry. Therefore, a deeper understanding of current control deficiencies can increase the probability of detecting a small, exploitable vulnerability that can lead to a backdoor attack.