What's this blog about? Data-driven and inclusive risk management. This blog is about risk management from a security point of view. First thing to address is what “risk management” really means. I fear that the term is, for some, just the latest boilerplate nametag to slap on their regular old products and services. If that’s the case, then it will fade from the corporate view over time, as all management fads do. I don’t think risk management is a fad; I think that if done properly, it is the key for maximizing the value gained from security efforts, and the conceptual framework that will best resonate with CEOs and Boards. There are five ways to deal with any given risk: – Reduce it (with controls, for example) – Ignore it – Eliminate it – Transfer it (with insurance, for example) – Accept it (which is not the same as ignoring it) Risk management is the process of recognizing risks faced by an organization and determining the optimum responses from the list above. The goal of risk management is NOT to prevent all possibility of bad events or outcomes. (Which is why Rich Stiennon’s recent article Why risk management fails in IT falls apart on his fourth point.) The goal IS ultimately to prioritize allocation of resources, to give the organization its best overall probability of success. At this moment in history, security risk management needs to grow in two specific ways in order to become more credible and effective: 1. It needs to be more quantitative. Based more on data and less on tradition/hunches/hype/fear. 2. It needs to be more inclusive, connecting the dots between fraud, IT security, physical security, loss prevention, privacy, records management, business continuity, and more. This second point is a long-standing plank in CSO’s platform. David Kent, VP of security at Genzyme (Sanofi North America), recently explained to me the benefit of this inclusivity: “The primary benefit is identification and assessment of risks across professional disciplines — so that when you do offer your views of probability and impact, it’s done with this very broad perspective. By extension, the solutions that are going to come to the front are going to carry that broad thought with them, and inherently be more efficient,” Kent said. “For the solution or behavior or decision, you’ll have incorporated all those views in a very time-efficient way, and gained the knowledge capital that comes from repeating that across time.” So as I noted above, an inclusive approach optimizes the effect of your risk management decisions and the efficiency of your controls. This blog will focus on those two elements of risk management: Data and data-based decision making, and the intersections of all operational risk-related disciplines. My next two posts will recap previous coverage of ERM on CSOonline. We’ve been covering ERM explicitly since 2008 and many of the ideas we’ve gleaned from CSOs are still timely and useful, forming a good foundation for real security risk management. I look forward to your input! Related content opinion Getting the Board on board Sean Lyons argues that the Board of Directors must see themselves as an active part of corporate defense - not the beneficiaries of it By Derek Slater Feb 13, 2013 8 mins Government IT Strategy opinion Recent risk discussions, here and there By Derek Slater Jan 28, 2013 2 mins IT Strategy opinion Risk management in HBR (and whether that's a good thing) Is ERM only about preventing downside? Or is there more to it than that? By Derek Slater Dec 12, 2012 2 mins IT Jobs IT Strategy IT Leadership opinion Information security risk: A conversation with Adam Shostack How has the landscape changed since publication of The New School of Information Security? By Derek Slater Dec 04, 2012 5 mins Data and Information Security IT Strategy Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe