How Do IT Leaders Measure Risk?

Written by Kate Lake on September 13, 2021

Share This Article

In a digital age where nearly every customer experience depends on technology, IT leaders are responsible for continually assessing and mitigating risk. If you work in IT, you’re aware that data breaches and cybersecurity attacks do more than just access critical infrastructure; they put the business itself at risk. When you’re in a position to make a decision about tools, a team of people or processes — either introducing the need for something new or defending the reasons to retain what’s already there — understanding how IT leadership looks at risk can be beneficial to your case. It can also help you assess current tools and practices in a broader light. 

So, what matters to IT leadership (and top-level leadership across the organization) when it comes to risk? 

The big picture. IT admins can get caught in the weeds when it comes to risk evaluation, but leadership is looking at the big picture. Great big worst-case scenarios that not only can, but far too often do, happen to great companies. Every piece of technology and every process has a potential ripple-effect on risk. 

Top-of-Mind Risk Factors Among Leadership

When evaluating proposals for new technologies, strategies, expenses, or operational changes, leaders will always want to know the risk factors. Here are the risks that are usually top-of-mind: 

Company reputation. Whether it’s unfavorable news, negative employee reviews, the mishandling of a public situation, a bad customer experience gone viral, scandalous executive behavior, perceived unethical sourcing or supply chain practices — company reputation impacts the business’s ability to attract new customers, retain existing ones, and court new investors. It also plays a critical role in attracting top talent, such as executives and developers. Anything that can harm company reputation matters to IT leadership and company leadership overall. 

Loss of revenue. Companies are driven by revenue targets. Any of the above risks can threaten revenue. Not only do IT leaders look at how risks impact revenue, but they also evaluate how existing and potential tools will lower costs and help generate revenue. It can seem a stretch when you’re considering which software or platform to buy, but every buying decision executives make has to be tied to impact on revenue — or it’s potential loss.

Existing customer loss. Customers flee for a variety of reasons; however, if it’s an issue the business can control, it’s important. Hits to the company reputation, as well as issues executing on commitments, the inability to maintain compliance, and possible or known data exposures are common reasons. But while the big issues are top of mind, for many customers it comes down to customer experience — slow site loading, unresponsive customer service, too many clicks and too much hassle trying to order, refund policies less generous than competitors’, and often finding a competitor that’s just easier to buy from. In many organizations IT plays a role in the decision making process for the platforms that support these services.

Data breach. Customers don’t always leave because of data breaches, particularly if they value their overall experience with your brand. But data breaches not only expose customer information to harm, they also expose company information. Data breaches are caused by improper controls and practices that allow illicit, unauthorized access to persist. Keeping data safe is part of brand-customer trust, so when data breaches occur, customers lose trust. And, new customers may steer clear of organizations that take security lightly. Further, in regulated industries like healthcare and financial services, data breaches break compliance and have legal and financial consequences beyond the loss of customer trust. 

Loss of productivity. When disruptions cause internal systems, teams or individuals to miss their objectives, the effect plays out across the company and ultimately impacts customer experience. Any system or tool that decreases productivity puts the company at risk of not being able to move and respond fast enough to stay competitive. 

Loss of top talent. Leadership weighs the impact of decisions on employee experience, especially in a fiercely competitive labor market. Does the existing tool or the new one deliver a better employee experience — think ease of use, streamlined workflow, capacity to deliver outcomes faster. Like customers, employees go where they get the best experience. Anything that puts that employee experience at risk — especially for top technical and leadership talent — is a priority. 

So, with this in mind, what can you do to evaluate risk and present your case to leadership? 

Measuring and Communicating Risk

While it may be tempting to ignore risk and stick to the positive when proposing a new course of action, leadership won’t be fooled. They know that not much in the world is truly 100% risk-free. Their focus is making sound, secure decisions that benefit the business; rather than ignore an option’s potential pitfalls, they want to understand them so they can make the best decision for the company. What are the risks? Are they likely to occur? How severe would the impact of a worst-case-scenario be?

To communicate a proposed strategy’s potential risk in a way that resonates with leadership and helps them better evaluate its fit for the organization, start by measuring it. 

A Straightforward, Effective Way to Quickly Grade Risk

In simple terms, you can grade an area of risk by two measures: 

  1. How severe is the effect of a potential risk? Use a simple number scale, like 1-5. The highest end of the spectrum means complete and utter loss (business folds, extreme negative consequences); the lower end is minor, relatively easy to overcome, and would only slightly sidetrack an area of the business.
  2. How likely is it to happen? Use a percentage, and approach with your best judgment; your company may track aspects of this (like customer churn, sales win/loss), and external resources exist (like Verizon DBIR) that could give you a baseline. 

This simple way of calculating risk is not about precision, but a way to gauge your thinking. A “high impact, low probability” may net out even to ‘low impact, high probability’ — but a “high impact” item could end the business, and leadership is going to prioritize items that mitigate that risk.  

Whether you’re looking to champion the existing tools and practices you have, or implementing new ones, going through this risk assessment exercise can help you look at your job in a new way, which will help you clearly and effectively communicate to leaders what they’ll want to know. 

IT Leadership’s Perspective on Security

In a recent JumpCloud® survey of over 400 IT professionals, 70% of C-level executives said managing remote workers had been one of their biggest challenges since the start of the pandemic. For business owners, it was a tie between the costs of remote solutions and increased work burden. 

C-level executives and owners were also more concerned with spending than their peers, being much more likely than their counterparts to strongly agree that their company spends too much on remote work security or identity and device management. This is likely due to the point solutions many companies implement to address these issues rather than using fewer, more comprehensive tools. Dive deeper into IT leaders’ cost concerns in our recent analysis. 

Interpreting the Stats

Essentially, when it comes to risk, solution costs and remote work security are top-of-mind for leaders. Make sure you consider and address these elements when discussing solutions or proposals with leadership.

Cost Perspectives

Sometimes, solutions can have high price tags but save money in the long-run; these long-term savings may not be obvious at first glance, but they’re important to leadership. Make sure you clarify long-term revenue impacts and potential cost savings, breaking them out into hard numbers or estimated projections where possible. (JumpCloud, for example, has a pricing calculator that does it for you, giving low-range and high-range estimates for alternative approaches.)

Security Perspectives

It’s important to remember that leaders tend to look at security and risk from a bird’s-eye view rather than in-the-weeds, as IT admins usually do. Leadership is focused on outcomes, and too much jargon or granular discussion around the mechanics of a solution’s security and risk may not land. For example, over 40% of IT-focused company owners surveyed and about 20% of C-level executives weren’t sure what Zero Trust security was; however, they still named adding layered security to make remote work secure their top priority for 2021. Note that these were IT-focused leaders, so leadership outside the IT world will likely have less specialized knowledge. 

When communicating objectives and risks with leadership, make risks, outcomes, and costs clear. Glazing over a potential negative will only hurt the credibility of your proposal—either immediately, or in the long-run when the solution doesn’t perform as you originally projected. 

Reducing Risk with Zero Trust

At JumpCloud, we see IT admins evaluating their current identity and device management practices against the benefits of using a single cloud platform that implements Zero Trust, a security methodology with the mantra, “Trust nothing, verify everything.” The JumpCloud directory platform establishes Zero Trust with single sign on (SSO), multi-factor authentication (MFA), conditional access policies, and unified device, user, and network management. It also offers full visibility into every managed device from a user-friendly web interface. 

Learn more about Zero Trust in our whitepaper: Simplify Zero Trust Security from the Cloud. 

Continue Learning with our Newsletter