Professional workshop: Managing your way out of risk

• Article 24 of 33
• SC Magazine, January 2011
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

Every organisation in the world faces some kind of risk – and one with an IT infrastructure faces even more risks. Whether it's someone deliberately trying to break in, systems accidentally exposed to viruses or employees leaving data on USB drives, an organisation of any size is going to face potential disruption and losses as a result of IT-related security incidents. One response is to try to prevent every single incursion, but with limited budgets and the ways that security can be breached increasing every day, no organisation has the time, staff and money to do that. And so, risk management is becoming the de facto way to protect an organisation's data.

In theory, risk management is a simple concept. Instead of trying to prevent every single threat, you work out which threats are the ones you have to be worried about. These might not necessarily be the ones most likely to occur: a virus outbreak might be very likely to occur in the next two years, but may only cost £100 to fix the damage it causes. That won't be as concerning as a threat only half as likely to occur, but which needs millions of pounds to fix.

Assessment: theory and practice
To implement a risk management strategy, you must first perform a risk assessment, to work out what the potential risks to the organisation are, how likely they are to occur, what effect they will have to the organisation if they do occur, how much it will cost to fix the damage caused and how much it will cost to reduce the risk of them happening to acceptable levels. With some simple maths, you can rank these risks to prioritise their mitigation through technology or processes – or a combination of the two. Then repeat this risk assessment at regular intervals, both on your existing infrastructure and also when new projects are started, to ensure that any new risks are accounted for.

That's the theory. The practice, however, is somewhat different. Identifying risks can be difficult, particularly across large, geographically distributed organisations with data potentially spread throughout the enterprise on multiple devices and systems that may or may not be under the control of the security team. Assets might be managed by many different managers, some of whom might not want to cooperate or who might want to overplay or underplay the risks. Actually putting numbers to risks is far harder than it would be in an industry such as life assurance, where actuarial tables are readily available and risks change only slowly. Continuing to keep the organisation aware of the importance of risk management and thinking about risk in daily life require effort – as does getting people interested in risk management in the first place. Then there's coordinating all that effort and putting everything on an equal footing in a way that management will support, while dodging internal politics.

Go for clarity
The first stage of any information security risk management strategy is to get a clear idea of what's going to be involved in the process. If there are likely to be big changes to the organisation, rather than a simple alteration of approach by the information security function, board-level support will be necessary to help push through the changes and to ensure continued adherence to the strategy. Without such backing, any strategy is highly unlikely to succeed.

However, with top-level support, an initial risk assessment can begin. Firstly, standard definitions of risk need to be determined. In many cases, it will often be hard to quantify risk – what is the exact percentage chance that either a hacker might breach the CRM system within the next two years or a member of the HR department lose their laptop? However, there are ways of calculating these risks. In some cases, commercially available risk management software includes data on standard risks; some organisations, such as the Information Security Forum (ISF) or the Information Risk Awareness project (http://inforiskawareness.co.uk/), can also provide advice. Simon Oxley, founder and MD of risk software developer Citicus, says organisations can often use their own data: “If you look at the history of incidents in your own organisation, there's real evidence that shows a strong correlation between minor incidents and the likelihood of major incidents.”

Nevertheless, it might be preferable to create metrics that rank risks in categories such as high, medium or low, corresponding to particular ranges of likelihood. This approach also works well with other metrics, such as impact on the business and cost of fixing any damage.

Get colleagues onside
Another reason for creating range-based metrics is that frequently it won't be the security team which will be ranking risks that pertain to a business process or human risk: the manager of the relevant department will be more likely to be able to judge the risks, as well as the impact on the business if an incident occurs. This will not only require liaison with the manager, it might bring in other people to perform the assessment. So explaining the reason for the adoption of strategy is even more important, in order to get managers and staff onside.

Often a good method to determine the risks is for ISPs to interview staff and managers and ask them to describe the steps involved in particular business processes and the IT assets used. However, not all assets are hardware or software – corporate information that must be protected and not lost is equally important, if not more so.

Don't miss important elements
“Many organisations know where their key assets are, but they miss important elements,” says Floris van den Dool, executive director for Accenture Technology Consulting's security business in Europe, Africa and Latin America. “Do they include PowerPoint presentations on laptops? CRM data on BlackBerries? The biggest risk is at the unstructured level – so you should get a business manager to describe the business processes involved in a sales cycle or preparing a proposal and what gets exposed. Then you go back to the business process and the user data to see what IT assets get used, then break down the threats.”

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages