UK cyber agency says managing risk in technology projects demands further overview

By Nicole Miskelly | 5 February 2015

The UK government’s National Technical Authority for Information Assure (CESG) has said that public sector bodies and their IT suppliers must look further into the importance of organisational assets and services, consumer privacy and their reputation when deciding how to manage the risks associated with new technologies.

CESG said that by weighing up these factors, it can help public sector organisations and their supply chain to better understand which risks they can cope with and the steps needed to manage them. “Organisations cannot develop without taking risks. Technology and information risk is not just about avoidance and mitigation; the pursuit and acceptance of risk creates opportunities and can help deliver business objectives,” CESG said in new guidance on technology and information risk management.

The cyber agency, which advises organisations on how to protect their information and information systems against today’s threats, said that risk management needs to be carried out more than once when new technology is implemented and just as organisational needs change, the IT security, technology and information security vulnerabilities also change.

The guidance report comes at a time when many organisations are unsure how to manage the risks presented by new technologies and after reports of a number of high-profile cyber security attacks on major companies last year. Managing the risks that come with new technology is a challenge facing every industry sector, and the CESG’s guide helps to highlight that with new technology comes a whole new set of risks, which should be effectively managed by the whole organisation and not just by the IT department.

“Risk management decisions should be objective and informed by an understanding of risk. They should not be made in isolation but on a basis of understanding how individual decisions affect the wider business, and what it is trying to achieve.”

The report also said that people need to be equipped with the right skills in order to make the right decisions when faced with a possible security risk. “The right people need to make decisions at the right time, with the right advice and support. They need to be empowered by the organisation and the right business, technology, security knowledge and skills to enable informed and objective decisions,” said CESG.