This blog is about risk management from a security point of view.
First thing to address is what "risk management" really means.
I fear that the term is, for some, just the latest boilerplate nametag to slap on their regular old products and services. If that's the case, then it will fade from the corporate view over time, as all management fads do.
I don't think risk management is a fad; I think that if done properly, it is the key for maximizing the value gained from security efforts, and the conceptual framework that will best resonate with CEOs and Boards.
There are five ways to deal with any given risk:
- Reduce it (with controls, for example)
- Ignore it
- Eliminate it
- Transfer it (with insurance, for example)
- Accept it (which is not the same as ignoring it)
Risk management is the process of recognizing risks faced by an organization and determining the optimum responses from the list above.
The goal of risk management is NOT to prevent all possibility of bad events or outcomes. (Which is why Rich Stiennon's recent article Why risk management fails in IT falls apart on his fourth point.)
The goal IS ultimately to prioritize allocation of resources, to give the organization its best overall probability of success.
At this moment in history, security risk management needs to grow in two specific ways in order to become more credible and effective:
1. It needs to be more quantitative. Based more on data and less on tradition/hunches/hype/fear.
2. It needs to be more inclusive, connecting the dots between fraud, IT security, physical security, loss prevention, privacy, records management, business continuity, and more.
This second point is a long-standing plank in CSO's platform. David Kent, VP of security at Genzyme (Sanofi North America), recently explained to me the benefit of this inclusivity:
"The primary benefit is identification and assessment of risks across professional disciplines -- so that when you do offer your views of probability and impact, it's done with this very broad perspective. By extension, the solutions that are going to come to the front are going to carry that broad thought with them, and inherently be more efficient," Kent said.
"For the solution or behavior or decision, you'll have incorporated all those views in a very time-efficient way, and gained the knowledge capital that comes from repeating that across time."
So as I noted above, an inclusive approach optimizes the effect of your risk management decisions and the efficiency of your controls.
This blog will focus on those two elements of risk management: Data and data-based decision making, and the intersections of all operational risk-related disciplines.
My next two posts will recap previous coverage of ERM on CSOonline. We've been covering ERM explicitly since 2008 and many of the ideas we've gleaned from CSOs are still timely and useful, forming a good foundation for real security risk management.
I look forward to your input!