Two weeks ago, I promised to continue with my "tough times" rant, but last week I was diverted to awarding the Gibbs Golden Turkey Award to American Express. With Thanksgiving now behind us, however, let us forget our recent Bacchanalian revelries (and our extra pounds) and forge ahead.

What I discussed in Part 1 was the need for a risk-assessment approach to IT management overall, not just to security. Reader Scott Crawford (Boulder, Colo.) commented: "High time someone carved out the same systematic approach to IT risk that we have almost taken for granted in other aspects of IT management!"

Scott and I talked on the phone (if you write, include your number and I may well call), and he was adamant that the risk-assessment-based approach is so neglected as to be almost a lost art.

The problem is that this approach requires a willingness to allocate resources strategically; that in turn means you will knowingly neglect investing in the low-value areas of your network should disaster strike.

As I suggested in Part 1, this leads to some interesting political issues, because in most organizations, power, the driving force of politics, is vested in the groups and individuals perceived as being the most influential, a perception that usually has less to do with budget size or revenue potential than with who controls the flow of information.

Who really controls the flow of information? You do! As I’ve been telling audiences at a series of events on identity management I've been involved with, we are the masters of the universe because there is no such thing as business without IT. There's nothing happening without IT providing the motive power.

So, here's the thing: You, my friend, are going to meet some serious political resistance when you tell the manager of widget production that -- as much as you would like to specify, identify, implement, configure and run his crucially needed restroom-cleaning management system -- there isn't enough money to do that. When you tell him that upgrading the stock-management system -- which, if it fails could bring the company to its financial knees -- is more strategic than his project, he probably won't be happy and he'll flex his political muscle.

How are you going to respond? The worst thing you can do is to present a logical, dispassionate analysis based on facts and your years of experience -- typically when power politics are involved, it is isn't the cool, rational argument that wins but he who masters the sound bite.