Risk management in the cloud
Companies have transferred (part of) their IT to the cloud from the usual suppliers (mostly Microsoft, Amazon and Google) and have outsourced management to an IT agency. Here the function of risk management is often not explicitly invested. The consequences are: failure to recognize organizational IT vulnerabilities and the associated business risks that ultimately negatively impact business continuity.
An IT risk manager supports the company in managing the risks in the IT landscape. He or she helps the company discover and identify vulnerabilities in the processes that lead to business risks and prioritize effective control measures. By creating an explicit separation of functions between managing the IT landscape internally or externally (in the cloud) and risk management, the company ensures that the IT landscape manager remains alert to recognizing the business risks and costs of IT.
What can we help you with?
Risk management, especially IT risk management, detects and records internal and external vulnerabilities, assesses business risks and advises on implementing effective control measures. Internal or external management implements control measures through which the company protects its business continuity. The established separation of functions between management and risk management requires agreement from management and understanding from employees. Depending on the goals of instituting risk management, knowledge and change management may be required. We formulate for companies concepts for organizing risk management, in particular IT risk management. We provide training programs for management and employees and can take on the role of (IT) risk manager for companies on a structural or occasional basis.
Some of our expertise:
- Help with Saas applications: Many companies can suffice by using so-called SaaS applications. Here, the vendor is responsible for keeping the application operational and the company for access security and data management. The risk manager has an important role in selecting the SaaS application. The vendor is responsible for the security of the application but it is good to note that the vendor has also taken this responsibility. Suppose the vendor has not properly managed application continuity, it can become a major problem for a company.
- Help with IaaS and Paas: If a company (also) uses the platforms IaaS and PaaS then it has more responsibilities. With a little imagination, you could say that IaaS and PaaS are the bases for builds from which an application should emerge.
- Hybrid: Companies do not always manage to make the move to the cloud in one go. There may be several reasons for this. This creates a hybrid situation, the company is both in the cloud and also maintains IT hardware and software locally.
- Microsoft 365: In the Netherlands, the use of Microsoft 365 is pretty much standard. What many companies don’t realize, or don’t realize enough, are the opportunities Microsoft 365 offers for performing risk management. With Defender, vulnerabilities are reported and can be followed up on. It is possible to expand the scope of Defender to include cloud environments at Microsoft and or other cloud providers as well as the local (onpremise) environment.
- Coordinated Vulnerability Disclosure (CVD): In addition to Defender’s reporting of internal vulnerabilities, a company can also promote the reporting of vulnerabilities identified externally. This requires a Coordinated Vulnerability Disclosure policy and publication on the website.
Submit your question to our experts
Questions about our services? Feel free to contact us, we are happy to help you.