How to Build a Strong IT Risk Mitigation Strategy

With threats rapidly multiplying, IT has become inherently risky. A strong risk management strategy minimizes the danger.

John Edwards, Technology Journalist & Author

February 22, 2024

4 Min Read
Risk management and mitigation to reduce exposure for financial investment, projects, engineering, businesses
NicoElNino via Alamy Stock

Risk management, the identification, evaluation, and prioritization of risks should be a top priority for every IT leader looking to protect data and other valuable resources.

“Building a strong IT risk mitigation strategy is like assembling a puzzle where each piece represents a critical element of the organization’s digital infrastructure,” observes George Chedzhemov, cybersecurity strategist at data security, compliance, privacy, and governance provider BigID in an email interview.

Risk mitigation is the end result of a strong cybersecurity risk management implementation, says Frank Schugar, CEO of Aerstone, a cybersecurity solutions company via email. “The process should start by assigning risk management roles and responsibilities across the organization, and by designating an authorized official to lead the risk management effort.”

First Steps

Building a strong risk mitigation strategy should begin with a comprehensive risk assessment in order to understand specific risks the organization faces Chedzhemov says. “This should include an evaluation of both internal and external risk factors.”

Once specific roles have been defined, Schugar recommends creating a CONOPS (concept of operations) document, defining specific risk management goals and objectives. The final framework should be right-sized for the organization, allowing continued maturation over time.

Related:Conquering Cyber Risk Management as a Transformational CISO

A comprehensive risk mitigation strategy should cover several core areas, including asset inventory, threat assessment, vulnerability assessment, data gathering/analysis/reporting, and impact assessment, Schugar says. “In order for the resulting risk score to be usable, the exposure data analysis needs to be highly automated, which generally involves setting up a data warehouse for key metrics,” he explains. “The impact analysis also needs to take into account system categorization, driven by confidentiality, integrity, and availability assessments.”

A robust risk mitigation strategy should encompass data protection, network security, regulatory compliance, employee training, incident response planning, and business continuity planning, Chedzhemov says. “It’s essential to address not just the technological, but also human factors.”

Building a Team

The risk strategy development team should be a cross-functional group, including operations, engineering, privacy, monitoring, cybersecurity, threat analysis, and the risk operations team itself, Schugar says. “Team leads should commit, with signature, to supporting the risk management effort.”

Related:Expect the Unexpected: How to Reduce Zero-Day Risk

Chedzhemov believes that the strategy development team should also include representatives from IT, human resources, and legal. “Each department offers unique insights into potential risks and their mitigation, ensuring a more comprehensive strategy.”

Gathering Support

The strategy development team also needs the support provided by independent research. “There’s an enormous amount of resources available to support risk management processes,” Schugar says.  “NIST publishes a number of documents that can help this process, notably NIST 800-37, which outlines the federal government’s risk management framework, a six-step process that ultimately helps ensure vulnerabilities are minimized to provide a high level of risk assurance,” he notes. “There are also copious free resources available from groups like SANS and CIS, which publish guidance and whitepapers that can help executives mature their understanding of the risk management process.”

The team should also take advantage of professional networks, industry-specific conferences, and specialist professional cybersecurity and information technology online forums, Chedzhemov says.

Final Steps

It’s important to review strategies periodically, especially when new risks are identified, recommends Shawn Loveland, chief operating officer at cybersecurity firm Resecurity in an email interview. Additionally, the current strategy should be reevaluated when third parties experience threats. “This will help determine if the company needs to adjust its strategy and scope.”

Related:5 Things You Can Do Today to Prepare for 2024’s Security Threats

A common risk management mistake is viewing the process as a one-time activity to be completed, rather than as an ongoing process, Chedzhemov says. “Effective risk management requires continuous monitoring, assessment, and adjustment.”


Building a strong IT risk mitigation strategy requires creating a culture of security awareness throughout the organization, Chedzhemov says. “Employees should be trained and encouraged to recognize and report potential security threats and infiltration or breach attempts,” he notes. “This human element is often the first line of defense against cyber threats.”

Organizations frequently conflate threats with risk, but at a more basic level, organizations need to appreciate that the goal of risk management is risk assurance, and not the complete elimination of risk, Schugar says. “Risk may be reduced, mitigated, or accepted, but the key goal is to understand the residual risk that an organization is accepting.” he explains. “Most organizations get that tragically wrong.”

Risk management isn’t about avoiding all risks but identifying, assessing, and mitigating them to balance risk and cost, Loveland says. He notes that eliminating all risks can hinder growth and innovation. “Effective risk management involves understanding and managing risks at an acceptable level and making informed decisions.”

About the Author(s)

John Edwards

Technology Journalist & Author

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights