Many people working in and around IT have had either formal training or extensive experience – sometimes both – in the technical aspects of computing, networking, and security. What I believe is missing is the formal aspects of information risk management. The concepts in this field are very diverse – they not only rely on core IT principles but they also require legal, HR, supply-chain, and other executive-level decision makers. What complicates risk management even further is that everyone has their own definition and opinions of risk. Some people believe that everything is a high or critical priority and that all security assessment or audit reports should be free of issues. Others tend to overlook the big security gaps and get caught up in the minutiae that keeps them sidetracked and busy. Still, others want the advice of outside experts and vendors yet ignore their findings because there is no hard “proof” that a vulnerability uncovered creates business risk.
Even given the various security vulnerability and risk standards as well as the numerous compliance regulations, everyone seems to have their own view of what risk really means. That might be OK for people protecting their own interests but it certainly complicates matters at the higher levels of business where the important decisions are being made and opinions are being established about security based on risk assessments. Regardless of opinions and approaches, at the most basic level, security risks are comprised of three things:
It’s the same in every situation. What’s often missing is the “ranking”. How does the risk translate into a business challenge? This can be distilled down to two factors: likelihood and impact. It’s easy to forget that not all security risks are created equal. Likewise, not all systems or business functions will be impacted the same. Some risks will have a low impact and a high likelihood. Others will have a low likelihood and a high impact. Where you must focus your efforts is on the risks that are both high likelihood and high impact – doing whatever it takes (within reason) to minimize these risks to acceptable levels. Again, this must be analyzed in the context of your specific situation for your particular business, and its often just a handful of issues that can be easily addressed once the decision is made.
If you stray away from this approach to risk analysis because of vendor recommendations, audit guidance, or other political or economic factors, you’re not addressing security in the proper way and that’s exactly where you don’t want to be.
Receive notifications of new posts by email.