Operational Risk and Resiliency Frameworks
A tale of five risk management characters and how they fit into your organization.
By Tyson Macaulay
October 30, 2006 — CSO —
Prologue
Five guys walk into a bar: a banker, an ex-cop, a technology nerd, a mandarin (or skilled administrator)
and a soldier. The banker pops off his cuff links, rolls back his sleeves and orders a cognac. The cop
puts his hat on the table and gets a pint. The nerd orders a cola
and tonic, and the soldier orders Scotch. They are old friends from before they were professionals. They
are all now risk managers, and good ones.
These five have rekindled their relationship now that they all claim the same occupation. The cop, the nerd
and the soldier have been seeing each other frequently in recent years and work together pretty well.
They appreciate and are intrigued by the mandarin and have taken to inviting him out, but he is
traditionally an introvert and his instinct is still to work alone. The banker, well, no one really knows
what to make of him yet, and the feeling is mutual. Everyone sees a convergence of interest, which
has brought them together this evening.
"Well," says the banker as the Hennessy warms him. "I manage financial risks, which are the most important
of all because money makes the world go 'round, and puts roofs over heads. I work with credit risk,
debt risk, derivatives, interest rate fluctuations and equity valuations. I forecast for and warn
institutions
money with the least risk and the most possible upside. That is what risk management is all about."
"Rubbish!" says the cop as he wipes a little stout off his moustache. "I manage physical risks, which
are the most important of all because this is a mean world full of beasts in people's clothing. I
work with cameras, digital video recorders, door locks, motion detectors, proximity cards and RFID
tracking of people and goods. I design and implement security systems for institutions
individuals to a small degree
or internal threat agents. That is what risk management is about."
"You all seriously overestimate your midi-chlorian-count!" says the nerd as he orders another cola.
(Only those who have a high midi-chlorian count
in their bodies can be Jedi.) "I manage information and communications technology risks, which are the most
important of all because from traffic lights to paying for these drinks, IT keeps our world running.
Without IT, the world we live in stops in its tracks. I work with broadband pipes, firewalls and
intrusion-detection systems, antivirus, antispam and high-availability data centers. I design
information management and data communications systems for institutions
a small degree
or internal threat agents. That is what risk management is about."
"Please!" sputters the mandarin, gently swirling the ice cubes in his cocktail. "I manage natural
and man-made disaster risks, which are the most important of all because losses from these events
are measured in lives, not dollars, property damage or downtime. I am talking about hurricanes,
blackouts, pandemics and bombs. I work for institutions and with first responders conducting
exercises involving emergency services like police, fire and paramedics. I design tests and
develop plans and procedures to manage the unimaginable. That is what risk management is about."
"You all need a reality check," says the soldier as he savors the malt. "I manage confidentiality
of information, which is the most critical because it deals with national security and personal
privacy, which is about our ability to be sovereign as a nation and individuals. We are talking
about defending our data against malicious entities that would use it against us, and to their
advantage. Lives can easily be at stake, but very large sums of money too. I deal mostly with
government and military
That is what risk management is about."
At the Confluence of Risk
The challenge of true data protection spans databases, internal and external networks, physical and offsite storage, business partners and more. These resources offer expert perspective from the basics through specific key elements of data protection strategies.
Network security basics
Protection, detection, and reaction—those are the three underlying principles your security program must embody
Computer incident detection, response, forensics
Richard Bejtlich shows how to measure and improve the maturity of your incident response
A few good IT security metrics
Stop counting blocked malware attachments and measure things that can contribute to meaningful change
5 key cloud security trends
Cloud security is evolving rapidly—stay on top of it
IT risk assessment frameworks
How to do end-to-end encryption
How to compare and use enterprise antivirus
Also find sample data protection policies in CSO's tools, templates and policies library
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Overcome Top 7 Admin Challenges of Active Directory
- Insiders Can Ruin Your Company. Take Action.
- Top Solutions and Tools to Prevent Devastating Malware
- X-Ray of the PCI Process-4 Proactive Steps
- Streamline Compliance and Increase ROI
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
CSO Corporate Partners
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
