Large organizations spend a lot of time thinking about risk, but their approach is often quite fragmented. Each department may have a different set of concerns and a different array of risks to account for. So while it may seem obvious that a threat to one area of operations could have an impact elsewhere, risk mitigation efforts often end up being quite siloed, creating vulnerabilities and inefficiencies that affect an organization’s ability to respond. These risks could include recognizable physical security threats or less apparent failures of logical security.
More importantly, organizations sometimes fail to take into account risks that fall outside their span of control. This problem became rather evident in the realm of data center disaster planning over the last few years. When Hurricane Harvey swept through Texas in 2017, Houston-area data centers were proud to announce that they never lost power or suffered downtime. That good news, however, was undercut by the fact that the flooding was so bad that many facilities were completely inaccessible by car.
While effective disaster planning accounted for the risk of power loss as well as wind and water damage to the facility itself, it failed to take a holistic view of risk that identified assumptions these facilities took for granted. In this case, they accounted for the failure of power infrastructure because data centers routinely manage the risk of power loss; what they didn’t plan for, however, was a failure of physical infrastructure availability like roads.
Over the last few years, many organizations have shifted to a new way of conceptualizing the scope and impact of risk. Known as integrated risk management, this process is defined by Gartner as:
A set of practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.
While the definition is a bit of a mouthful, integrated risk management should not be overlooked. It involves making a comprehensive assessment of internal and external risks facing an organization in order to design a strategic framework that draws connections between those risks. Rather than isolating risk factors and confining their implications to one area of an organization, integrated risk management considers how each risk could impact the entire organization. This has a profound impact on how managers approach risks related to data center compliance and data center security.
Identifying potential risks is only one aspect of effective integrated risk management; the next step involves building the tools and processes for monitoring operations and evaluating the effectiveness of risk mitigation strategies. In many cases, the sheer scope of an organization’s operations is too much to account for without a technology solution. Analytics are incredibly valuable here for their ability to analyze previous data points and anticipate potential risks in the future.
Data centers are already incredibly complex facilities that face a wide range of potential risks ranging from malicious cyberattacks to utility outages—and everything in between. New technology like powerful DCIM software (such as vXchnge’s award-winning in\site platform) has made it much easier for data centers to develop a comprehensive view of risk. Combined with predictive analytics, facilities can make much more accurate assessments of how risks to different aspects of operations and infrastructure might impact performance and service.
In the case of data center security, every aspect of physical security needs to be reinforced by corresponding logical security measures to guard against breaches that could have wide-reaching consequences. Integrated risk management can create the necessary links between the multiple layers of data center security. This is especially important when it comes to protecting customer data.
The consequences of a data breach can be devastating, and as a nexus of connectivity, a data center must take a very proactive approach to risk management. Procedures and policies that are discovered during an integrated risk management assessment need to be incorporated into data center operations to ensure that potential dangers are minimized and that decisions are made at an enterprise level using the best available data.
But integrated risk management’s scope extends far beyond the data center environment itself. A risk-aware facility must also consider what external factors could potentially have an impact on operations and infrastructure. Take, for instance, issues involving data center compliance standards. Even if a data center takes compliance requirements very seriously and maintains the most rigorous standards, it must account for the possibility that third party vendors or suppliers (or their vendors or suppliers) might not be quite so thorough. Furthermore, a facility that stores data for clients with extensive overseas operations needs to be aware of foreign regulatory standards that may apply to that data (such as GDPR). A thorough integrated risk management process should identify these risks and implement the tools and strategies necessary to account for them.
With a thorough integrated risk management approach to operations and security, data centers can take on the expected risks more effectively and put themselves in a position to respond quickly to the unexpected. Rather than compartmentalizing risk and creating blind spots, integrated risk management makes it possible to gain a holistic view of risk that helps facilities avoid downtime and keep customer data secure.