ITIL 4 Information security and risk management practices: embedding safety culture and behaviour

The rush to use cloud services sometimes means organizations are not thinking fully about the risks. Thinking that “it’s in the cloud, therefore it’s safe” is wrong, though vendors may claim it is.

This is why it’s important for ITIL^® 4 to have dedicated management practices for information security and risk management; helping enterprises to create healthy cyber behaviours and ensure all employees are involved. It’s also important that external suppliers embrace these best practices to manage overall risk.

Both information security and risk management are everyone’s job in the organization.

In high-velocity IT environments, development teams are operating with agility and multiple, regular changes. However, once they embed healthy information security behaviours, risk management becomes basic company culture and poses no problem to innovation.

This supports the ITIL 4 service value chain, ensuring that everything the organization is doing to co-create value for customers is secure at each point in the chain.

The information security management practice helps people understand the boundaries to work within and tools for solving specific product functionalities for the customer, such as anti-virus, malware protection and supplier access.

And, ultimately, it’s possible to achieve the cyber security maturity model:

• Identifying the risks/information vulnerable to threats
• Assessing how to comply
• Measuring and monitoring with key performance indicators
• Establishing continuous programmes for healthy cyber behaviours
• Transforming the organization with a strong security culture.

If an organization’s risk appetite is communicated effectively from C-level, then it becomes the standard approach and shouldn’t inhibit innovation.

ITIL 4’s risk management practice demonstrates that, on a daily basis, we are exposed to different types of risks; this means leaders need to nurture both culture and behaviour to minimize risk while, at the same time, co-creating value.

Having a clear approach through the management practice enables organizations to identify risk, know how to address it and repeat this process.

A major factor highlighted in ITIL 4 is the need to embrace change: what is best for an organization in a VUCA world and how to adapt to the anxiety that comes from the continuous cycle of change.

For this, enterprises need to develop the culture and behaviour among their people to be secure but also to give them the confidence to make mistakes and the ability to fix and learn from them.