How to Manage IT Risks – ADIRA Podcast

Insights from Frédérick Dupont

The field of IT risk is evolving rapidly, and effective risk management has become a top priority for modern businesses. During an episode of the ADIRA podcast, Frédérick Dupont, founder and CEO of CoAudit Group and an expert in IT risk management, shared his perspectives and best practices. Below is an overview of the key points he discussed, supported by slides from his presentation.

Understanding IT Risks

IT risks encompass threats and vulnerabilities that may affect an organization’s systems, data, and networks. Frédérick began by defining these risks, highlighting the difference with cyber risks. IT risks include:

• Availability, integrity, confidentiality, and evidence of information
• Financial implications such as costs and budget
• Regulatory compliance requirements

Identifying and Analyzing Risks

The process begins with a mapping of assets, data, and third parties. Frédérick recommended using methodologies such as eBIOS Risk Manager to structure this identification. Once the risks are mapped, it is essential to evaluate and prioritize them in order to define the most appropriate actions.

Risk Management Strategies

Frédérick outlined the four main strategies for managing IT risks:

1. Eliminate – Remove risks by changing processes or eliminating vulnerabilities
2. Reduce – Implement controls to lower impact or likelihood
3. Share – Transfer risks through insurance or partnerships
4. Accept – Assume risks when mitigation costs exceed the benefits

Key Domains of IT Risk Management

IT risk management covers several critical areas:

• Governance: Establishing a solid structure to oversee IT risks
• Data security: Protecting sensitive data and ensuring confidentiality
• Network security: Safeguarding infrastructures against intrusions
• Application security: Securing applications against vulnerabilities
• Physical security: Protecting equipment against unauthorized access
• Systems and mobile device security: Securing operating systems and endpoints
• Cloud and IoT security: Ensuring the safety of cloud services and IoT devices
• Business continuity and crisis management: Preparing continuity plans to maintain operations in case of disruptions
• Compliance and regulations: Meeting standards such as GDPR and the NIS2 directive

Regulatory Framework and Standards

Frédérick emphasized the importance of complying with constantly evolving regulations. He cited examples such as:

• GDPR, NIS2 Directive, and the Cyber Resilience Act
• ISO/IEC standards: 27001 (information security management systems) and 27701 (privacy information management)

Implementing Best Practices

To initiate effective IT risk management, Frédérick recommended two fundamental resources:

• ANSSI’s IT Hygiene Guide – Practical recommendations for protecting systems against cyber threats
• ANSSI’s MOOCs – Online courses on cybersecurity covering risk management and awareness

Frédérick Dupont’s presentation offered a comprehensive overview of IT risk challenges and strategies. His contribution to the ADIRA podcast underlined the importance of a proactive, integrated approach to safeguarding IT systems and data in today’s businesses.