Book Review: IT Risk: Turning Business Threats into Competitive Advantage by Westerman and Hunter

This post provides a very personal review on the book titled "IT Risk: Turning Business Threats into Competitive Advantage" by George Westerman (Research Scientist @ MIT) and Richard Hunter (a Gartner fellow) published in 2007.

A book mainly for executives and for those requiring some foundations on why and how information security, also known as IT risk, can be implemented in an organisation today.

It is encouraging to see how some of the learning points present in this book already appeared in this blog in 2006.

As always, an important disclaimer, this review does not replace the reading of the book. On the contrary, it motivates to read it. Thanks to the authors for their research work.

In 9 chapters, the authors provide simple but powerful ideas on how IT risk is really linked to business risk and how both risks can be managed.

The first chapter states how IT has become central in organisations today. However, IT risk is still seen in IT departments. This traditional way of seeing things is proven to be partial and not fully future-proof. The authors remind us how decision makers in organisations need to be aware of the business risks created by IT risks.

IT risks needs to be factored in in business and business risks need to be factored in in IT. The notion of perceived risk is also mentioned and how attention and resources are mostly given to those perceived risks (and not to all existing and real risks).

The authors finalise this chapter with the 4 A's model i.e. risks can be broken down into 4 categories: availability, access, accuracy and agility.

The second chapter presents three disciplines as required ingredients to manage IT risks:

- A well-structured foundation of IT assets.
- A well designed and executed risk governance process.
- A risk-aware culture (different from a risk-averse culture).  

The third chapter mentions the traditional (but powerful) idea that investing in prevention is less expensive than spending in reaction.

They present the IT risk pyramid, being availability at the bottom, then access, then accuracy and finally agility at the vertix.

The fourth chapter expresses the need to simplify the first mentioned ingredient i.e. the IT foundation. This shows the importance of IT and enterprise architecture. When will a business service be migrated to a simplified foundation? When the business risk to keep it in the legacy system is greater than its business value.

The fifth chapter proposes a traditional risk governance process using concepts such as impact and probability. Threats are actually not so mentioned though. They also touch upon the importance to engage decision makers in these governance processes.

The sixth chapter talks about a risk-aware culture and how this starts at the top of the organisation. A risk-averse culture does not really avoid risks. It just neglects them. Two useful concepts are mentioned: Segment different audiences and communicate regularly.

The seventh chapter includes some checklists that would guide the risk manager throughout the implementation of these ingredients.

The eighth chapter provides some keys on the future and the ninth chapter summarises the main learning points.

All in all, a mostly traditional (with some innovative elements) reference that can help our readers to navigate through the business ocean.

Happy risky reading!  

The sky is the limit!