Why Did Home Depot Need More Risk Assessments?

8028228292?profile=originalHow can the 33rd largest company in America compromise the personal data of 56 million customers? And how can a company that spent $1 billion dollars to “digitize” itself take nine months to identify a breach? Most importantly, how can a company once cited for leadership and success in risk management fail to…well, manage risk?

Cyber-crime expert Brian Krebs asks “Are we spending most of our money on trying to keep the bad guys out or trying to detect as soon as possible when the bad guys get in?” Krebs feels that Home Depot was too focused on identifying potential threats and wasn’t prepared to deal with the actual manifestation of one.

For companies concerned with cyber security, Krebs question is a good one. When technology moves at a pace nearly impossible to keep up with, how can organizations structure their control environment to mitigate risk? The answer isn’t found in your company’s IT infrastructure, but rather its ERM process.

Embracing Risk

Home Depot’s risks may have been inevitable, but they were also known. As early as 2008, employees warned management of a range of cyber-security threats. The company was working with an “outdated Symantec antivirus software,” and “did not continuously monitor the network for unusual behavior.”

Blaming the IT team for not prioritizing a system upgrade isn’t digging deep enough into the problem. Hidden behind the out-of-date software and the sporadic monitoring procedures is a failure of Enterprise Risk Management. Home Depot’s front-line employees, often the most knowledgeable of a company’s risks, were unable to communicate their concerns to a level in the organization that could assess the cost/benefit decision. The solution to this – a solution that benefits every company, whether large or small – is the use of comprehensive risk assessments.

With hundreds, maybe thousands of processes relying on IT applications, where could the business case have come from to make the upgrade an easy and high-priority decision for management? Risk Assessments would have equipped management with the input of the most knowledgeable individuals as part of a formalized process (rather than a one-off, red flag situation that can leave employees feeling vulnerable). Assessments at this level can provide the business case for change even when the current system “met industry standards for protecting customer data.”

The Power of Risk Assessments

Especially in the field of IT Security, change is too rapid for organizations to be comfortable relying on standards, policies, and compliance to manage risk. ERM bridges the gap. By not reaching down to the front-lines, Home Depot’s management wasn’t in a position to take action on risk. A fully-implemented ERM program – supported with Risk Management Software – would have provided the company with a more connected risk picture, and more data to ensure the proper mitigation activities were in place.

Not sure where to start? Download our Risk Assessment Template or eBook on 5 Steps for Better Risk Assessments.

Votes: 0
E-mail me when people leave their comments –

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!