Home

How IT can transition from firefighter to risk manager

Rose de Fremery Rose de Fremery Writer, lowercase d
October 30, 2025
With the right strategy, IT pros can get ahead of risk.
(Credits: Oyls/Shutterstock)

This article is part of Spiceworks’ Recalibrating Risk Tolerance series investigating the contemporary landscape of cybersecurity risk. You can follow along on our landing page, where we’ll be adding new stories all week.

It’s Tuesday morning, you’ve got three projects on deck, and now the dreaded notification has come in: something broke. Your VPN gateway just failed, accounting got hit with a ransomware attack, or that ancient database you’d MacGyvered a little bit more life from finally gave up the ghost. Welcome to another day in IT firefighting mode, where your carefully planned week becomes a smoldering pile of emergency tickets.

Many IT departments run in perpetual crisis mode, rushing from one emergency to the next with barely enough time to document what went wrong, let alone prevent it from happening again. IT pros know proactive risk management would save time, money, and peace of mind in the long run, but getting to that ideal state is easier said than done.

You don’t need a complete operational overhaul or a massive budget increase to make the transition from firefighter to risk manager, though. What you need is a shift in how you think about and prioritize your daily work. And yes, you can start this transition even while you’re still putting out fires.

Accept that you can’t prevent every fire (but you can contain them)

Emergencies happen to the best of us. Although every IT pro wants to prevent them from happening in the first place, that’s not a realistic goal. Instead, it’s better to aim for reducing the frequency and impact of these events while building your capacity to handle the ones that do come up.

RiskTolerance-01-Promo image
You can get started by tracking your incidents differently. Instead of just logging “server down” and moving on, briefly document any patterns you’re seeing. Are most of your emergencies happening in legacy systems, during specific times, or after certain types of changes? This intel will eventually guide your roadmap for risk reduction.

If you create a simple spreadsheet that tracks every fire you put out for three months, you’ll likely see macro-level patterns that weren’t so obvious at the time. When 60% of emergencies stem from three aging servers, you’ll have compelling data for targeted upgrades that could cut your emergency tickets in half.

Build risk assessment into your existing processes

Once you’ve got a straightforward tracking system in place, begin building some risk thinking into your daily work. Every ticket, project, and change request is an opportunity to ask, “What could go wrong here, and how can we prevent it?”

When reviewing a new project proposal, include a short risk assessment in your evaluation. It doesn’t have to be formal. Even a simple “high/medium/low” rating with mitigation notes helps shift your thinking from reactive to proactive.

Explain your risk assessments to stakeholders by translating technical vulnerabilities into their business impacts. Instead of saying “our firewall is outdated,” explain that “we have a 40% higher chance of a breach that could cost us three days of downtime and $50,000 in recovery costs.” The powers that be understand risk when you speak their language.

Steal time from the future (your future self will thank you)

Time is the biggest obstacle to proactive risk management. When every day is a crisis, it’s hard to see how you’ll ever get ahead of the chaos. That being said, you still have to carve out some time for this important work.

Dedicate a set number of hours each week, say four, towards proactive risk reduction. Pick one recurring problem and go after its root cause instead of applying another quick fix, automate one manual process that frequently fails, or update documentation for one critical system. These small investments will pay dividends you can re-invest in higher level risk management improvements later on.

For instance, if you’ve spent six months applying daily workarounds to a failing cloud backup sync instead of properly fixing it, there’s your opportunity. Those daily 30-minute responses add up to 15 hours a month, while properly reconfiguring the backup job might take just four hours and eliminate the problem. The wasted hours become painfully clear once you do the math, but it’s hard to see when your phone is blowing up with anxious users wondering when that mission-critical system is going to be back online.

Create a risk registry that actually gets used

Risk registries catalog all potential threats to your systems, their likelihood and impact, and any mitigation strategies you’ve identified. Unlike that simple incident-tracking spreadsheet we talked about earlier, which just logs what already happened, a risk registry identifies what could go wrong in the future.

The problem is that these formal documents often become elaborate spreadsheets that get updated once and forgotten—but they’re not really “set it and forget it” management tools. So, try creating something lightweight that integrates with your daily operations.

Keep it simple with just the essentials such as system name, risk level, potential impact, likelihood, and mitigation status. Each risk should have a clear owner and next step, even if that step is “accept risk until budget available.” This transparency helps you make better decisions about where to focus your limited resources.

Lastly, make it a point to review your risk registry during your regular team meetings. That way, everyone will know it’s a priority, and they’ll be more likely to reevaluate IT challenges and opportunities in terms of risk, too.

Transform your team from reactive to proactive

You can gradually shift mindsets even further by changing how you recognize and reward work. So, start recognizing your prevention wins in addition to your firefighting accomplishments.

When someone spends a day automating a problem-prone process, make that visible. When proactive monitoring catches an issue before users notice, highlight it. Share metrics on prevented outages, not just resolved tickets.

Give your team permission to say no to non-critical requests when they’re doing prevention work. You can take this a step further by implementing “risk reduction sprints” in which the team exclusively focuses on eliminating future problems.

Although it may seem like a drop in the bucket, even one day a month will move the needle. Over time, you’ll start to enjoy a better work-life balance and your IT shop will become more resilient than you thought possible.

Use incidents as risk management opportunities

Every incident provides real-world data about what can go wrong and how, and mining that data will help you become a better risk manager. Implement proper post-mortems, but keep them blameless and focused on prevention.

One way to do this is by documenting not just what happened, but what almost happened. Near-misses often reveal bigger risks than actual incidents. For example, that backup that almost failed could be your canary in the coal mine.

Most importantly, implement the lessons learned. Nothing kills a risk management culture faster than post-mortems that generate action items nobody acts on, so pick one or two critical improvements from each incident and consistently follow through on them.

Measure progress in prevented problems, not just solved ones

Traditional IT metrics focus on incident resolution: ticket closure rates, mean time to repair, uptime percentages, and so on. These stats matter, but they only tell half the story. Consider establishing and tracking prevention metrics, too.

This might look like counting the incidents that didn’t happen because you upgraded that system or measuring the tickets your team avoided by rolling out a new automation. These kinds of data points can help you see and articulate the value of your evolution from firefighter to risk manager—including and especially when budget season rolls around.

Start where you are, not where you wish you were

If your daily work environment is so hectic that the “This is fine”Opens a new window meme looks like a realistic depiction of what you’re up against, all of this may seem a bit ambitious. The thing to know is that while a perfect risk management program isn’t possible—almost nobody has time for that—a better one is.

The transformation from firefighter to risk manager isn’t an event but an ongoing journey. With purpose and persistence, you can make more progress than you’d expect. Some days you’ll still be in full firefighting mode, and that’s okay. The difference is that now you’ll be fighting fires with one hand while preventing future ones with the other.

Rose de Fremery
Rose de Fremery

Writer, lowercase d

Former IT Director turned tech writer, Rose de Fremery built an IT department from scratch; she led it through years of head-spinning digital transformation at an international human rights organization. Rose creates content for major tech brands and is delighted to return to the Spiceworks community that once supported her own IT career.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

AI cyberattacks: How hackers used AI to automate espionage
Security

AI cyberattacks: How hackers used AI to automate espionage

When disaster recovery plans fail in real disasters
Security

When disaster recovery plans fail in real disasters

How to balance privacy and security with the need for speed
Security

How to balance privacy and security with the need for speed

Quantum computers will crack your encryption. Now what?
Security

Quantum computers will crack your encryption. Now what?

How to tackle AI sprawl
Software

How to tackle AI sprawl

Ready, fire, aim: Corporate AI strategy ignores the risks
Security

Ready, fire, aim: Corporate AI strategy ignores the risks