Professional workshop: Managing your way out of risk

• Article 24 of 33
• SC Magazine, January 2011
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

Although there need to be ‘triviality' rules to avoid risks such as including ‘the router being unplugged accidentally' in the risk assessment, these rules need to be set with caution, warns Deloitte partner, enterprise risk services, Mark Carter. “You may have a generic rule such as ‘Every laptop over £100 should be captured', but the risk is when a £50 laptop that's very important to business operations is left out.”

There may already be asset registries as a result of previous audits and compliance programmes, so these should be consulted. Business continuity programmes will also provide a clear idea of what assets are most vital to the organisation and in need of protection.

To locate other assets either missed by these programmes or that have since been introduced to the enterprise, existing security tools can be used, such as vulnerability scanners and patch management software, advises Gidi Cohen, founder and CEO of Skybox Security. Data loss prevention tools are available that can scan for particular types of information, typically by keyword.

However, processes themselves may also expose the organisation to risk, says Simon Marvell, MD of Acuity Risk Management. “How quickly are you patching flaws? What proportions of contractors have signed your policies? These kinds of data are important.”

Prioritise, prioritise
Once the initial risk assessment is done, compiling the information gathered and creating a suitable priority list and strategy list is the next step. This should be a simple bit of maths, requiring nothing more than an Excel spreadsheet. However, internal politics often cause risks to be prioritised in a more subjective way – or to at least be re-evaluated.

Some managers would rather that their work not be considered a risk to the organisation, out of fear of being punished. “There can be lots of lobbying going on,” says Citicus's Oxley. “When you are reporting risk and there's red on your charts, that can be unpalatable. The problem comes from compliance, a lot of which is couched in terms of ‘We can't have failures'.

The reality is there will be red, organisations do have gaps and sometimes that has been papered over. They need to get over that attitude and admit when something isn't perfect and that we need to fix problems.” Others may actually want to be considered high-risk. Says van den Dool: “Typically, business owners don't disagree if there's a high risk put on them. It means they're important, so they talk up the risk and say that the impact of losing data is ‘humongous' – depending on who ends up paying to mitigate it, of course.”

However, while re-evaluating risks objectively rather than simply taking business managers at their word might seem simple, the risk management project needs the cooperation of managers to succeed, so it may be that a certain amount of give and take is necessary when formulating the final ranking to get their backing.

Actions – and costs
The next step is to determine what needs to be done to mitigate each risk and how much it will cost to be done, which should be no different from any other security project. The resulting report, however, will have to be accessible to others and written in a language the board and potentially the rest of the business can understand.

There are two reactions people should avoid when presenting their report to the board, according to Craig Carpenter, VP marketing at Recommind: “The first is that they pooh-pooh something that has a risk of, say, 0.01 per cent occurring and say nothing needs to be done. It may seem that way, but if the risk is in the billions, you need to pay attention. The second is that they add all the bad things up and decide that something is definitely going to happen and we're all going to die a horrible death tomorrow, so there's no point doing anything – or, alternatively, you have to do everything. These people can't parse nuance.”

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages