Technology risk is any potential for technology failures to disrupt your business such as information security incidents or service outages.1
Let me start with a shocking example of how a runaway IT risk incident can have a catastrophic impact, just like what happened to the airline Comair, a subsidiary of Delta Air Lines. One busy December, Comair’s crew-scheduling system failed because it was only capable of handling a certain number of changes a month. The system abruptly stopped functioning, leaving nearly 200,000 passengers stranded throughout the US in the run-up to Christmas. Revenue losses as a direct result of this incident are estimated at US$20 million. An up-to-date EA inventory gives you information on all your applications including the technologies they are based on. This helps you to assess which applications might be at risk because underlying IT components are no longer supported and lets you keep track of your technology standards. Incidents that happen because of unsupported technology components on average will cost companies around €600.000.
What you need to know about Technology Risk
Most companies are much better at introducing new technologies than retiring them. The cost of running unsupported technology can be high. Costs of IT outages and data breaches run into the millions. At the end-of-life of technology, IT management has to deal with challenges such as integration issues, limited functionality, low service levels, lack of available skills, and missing support from vendors.
The twenty largest technology vendors alone provide over a million of different technology products. The related information, like lifecycles, can change every single day.
Most companies are much better at introducing new technology than retiring it. 67% of CIOs indicate their technology risk management as ineffective.
If you are researching how to do a technology risk assessment, this story is probably already familiar to you. This is why we have created a definitive guide to technology risk assessment.
The technology risk landscape is quickly changing, mainly due to emerging technologies such as blockchain, or new methods like microservices. If not handled accordingly, this results in an increased IT risk, and thus, an increased risk for the entire enterprise.
According to KPMG’s technology risk management survey, technology risk management needs to evolve to be prepared for this new, fast-paced and disruptive world. Many organizations operating in the digital age do not consider technology risk as a value center and still remain stuck in traditional, compliance-focused approaches to technology risk that don’t offer the best control of technology assets, processes and people — including static qualitative measurement, reactive risk decisioning and a lack of innovation.
Did you know that 72% of organizations bring tech risk teams into projects once technology risk issues have already appeared and 47% adopt technologies such as mobile apps and devices without even including them in risk assessments?
Benefits of Technology Risk Assessments
There are various benefits to this. Amongst them are:
Find out what the best technologies are by assessing the functional fit of each IT component and the business criticality. This lets you opt for a standard across regions or offices, thus reducing redundant applications and/or technologies. For example, why would we use Oracle and MySQL?
We would be paying for both, when one of them could be suitable for the entire organization. You can read more about this here.Image 1: IT Component Matrix showing the total annual cost of IT components regarding their providers and tech stacks.
What happens when we haven’t updated our software to the latest version yet? Or even worse, why we are using five different versions? This could be due to an underlying technology. Other applications dependant on an underlying application could eventually lead to a snowball effect of errors throughout the entire organization. It is crucial to identify and understand which underlying technologies exist, their lifecycles, and any software dependencies.
Image 2: IT Component Matrix showing the lifecycle of IT components regarding their providers and tech stacks.
One of the topics that most companies battle with is standardization. When we do not have clear standards defined, things get chaotic fast. Once these standards have been defined, we must also make sure that they are being followed. Ideally, one should not have to go door to door assessing, for example, how well stakeholders are adhering to IT security standards. To acknowledge this, we recommend using surveys. You can either use a tool, such as Surveymonkey or use the LeanIX Survey feature, which automatically imports all answers into the tool, ready for assessment.Image 3: LeanIX´ Survey showing how to efficiently do an IT-security assessment.
How to perform a Technology Risk Assessment
Now that we have established the benefits, you will probably want to know what the steps are to create a thorough technology assessment.
We recommend the following:
Get a complete list of applications you use
Hopefully, you have been documenting your applications over the past year. If not, I would suggest first reading our 9 Rules and Guidelines for Application Rationalization.
Without an overview of your current application landscape, it does not make sense to start a technology assessment. You wouldn’t start baking a cake without a list of ingredients, right? As a first step, you need to collect a list of all the applications you are currently using in your enterprise.
Assess the software versions that are in use
The next step is to find out what software versions are being used.
As a best practice, we recommend using a technology stack to group your software. You can also tag your software (manually or using out-of-the-box LeanIX tags) to reference them in the future. In the screenshot example below, you can see that we have tagged them via the Candidate, Leading, Exception, Sunset model.
Image 4: List showing which technology stacks are being used and their status.
Assess servers and data centers in use
This next step is similar to the previous ones. We recommend again to assign a technology stack to each server and data center.
In this step you should also verify the data. For example, you can check where your servers are located by using an IT component location report.Image 5: Report showing where IT-components are lcoated.
Link software and servers to applications
After having collected and verified all of the data in the previous steps, it is important to now create the link between software, servers, and applications. This lets you later understand the dependencies between these objects, and thus avoid situations like the one previously described.
Image 6: Free draw report showing dependencies between an application and its IT-components and technical stacks.
Find out how technology affects your business
You made it to the final step. Now it’s time to find out what technology risk actually means for your business. Time to put the pieces together, for example, we can now use find out where applications using certain software versions are hosted.Image 7: Deep-dive report showing where applications using certain IT components are located.
Deep-Dive: end-of-life management
One of the most important factors in technology risk management is the end-of-life management.
What does this mean? Companies that don’t pay attention to deployed technology reaching obsolescence face a higher number of security risks and vulnerabilities than companies that keep a close eye on the life-cycle of elements in their IT landscape. Also, continuing to use hardware or software that is no longer supported makes it easier for cybercriminals to gain access to systems and data.
This crucial topic often overlooked, even government agencies are not immune to this. US Government auditors blasted the Internal Revenue Service (IRS) in 2015 for missing deadlines to upgrade Windows XP PCs and data center servers running Windows Server 2003, both of which have been retired by Microsoft. Nine months after Windows XP fell off Microsoft’s support list, the agency still could not account for 1,300 PCs, about 1% of its total, and so could not say whether they had been purged of the ancient OS. The IRS also had to pay Microsoft for post-retirement support contracts to be provided with critical security updates.
Businesses need to comply with many regulations from HIPAA to PCI and FISMA. While compliance does cost money and in terms of technology, requires an accurate view of applications and technology, the cost of non-compliance is usually higher. As a rule of thumb, experts say that the cost of non-compliance is 2.5 times higher than the cost of compliance.
An up-to-date EA Inventory does not only provide you with reliable data that you can use to document your compliance with regulations. The LeanIX Survey Add-on can also help you to create ad-hoc or regular surveys for the appropriate staff to maintain accurate information about, for example, the use of sensitive data by applications.
A current use case is GDPR for example; We can assess our data to determine their level of privacy sensitivity, categorizing them as public/unclassified, sensitive, restricted, or confidential. If you are using a professional enterprise architecture management tool such as LeanIX, you can use tags to add further attributes (e.g. "GDPR restricted") to a data object or application. This will usually already be part of your internal security processes, where you assign attributes such as confidentiality, integrity or availability to data.
You can learn more about how to model this here.
Complexity is the enemy of security. When it comes to the retirement of old technology, CIOs have to carefully balance two aspects. On the one hand, they need to “keep the lights on”. They need to make sure, above everything else, that IT operations are running smoothly. The old proverb says, “If it isn't broken, don’t fix it,” but this adage was not written with digital transformation in mind. There is, of course, some truth in the saying, as an upgrade to newer technology usually is accompanied by some kind of interruption, but keeping the status quo comes at the cost of increased complexity.
Figure 10: LeanIX dashboard illustrates which applications are at risk as the underlying IT components are out of the lifecycle.
Obsolescence and hardware maintenance, as well as security, are some of the most pressing information technology problems facing organizations today. Not planning for the future of technology is by far one of the most costly IT mistakes that many enterprises make.
Most companies are much better at introducing new technologies than retiring them. The cost of running unsupported technology can be high. Costs of IT outages and data breaches run into the millions.
Technology risk management is a broad, complex topic that cannot be solved by manual data maintenance – no matter how great your team is. With the help of LeanIX software, Enterprise Architects can quickly source up-to-date technology product information. This information is essential when assessing the risk of the application landscapes, and to plan, manage and retire technology components in a smart way.
What do you think? Are you missing something in our definitive guide? Leave a comment below!