Professional workshop: Managing your way out of risk

• Article 24 of 33
• SC Magazine, January 2011
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages

This reaction might often be the case in organisations with no history of risk management, such as those that were working in lightly regulated areas, but are now moving into new areas that are more heavily regulated. Making sure risk is well understood in advance can mitigate this problem. The board can then decide which risks it is willing to take, which ones it isn't and what budget needs to be allocated to the project to mitigate the risks. As with any security project implementation, a mixture of technology and training will undoubtedly be needed, with staff educated about any changes to their information technology infrastructures that they need to know about and any processes that affect them.

A risk management strategy won't ensure that absolutely nothing happens to the enterprise. It just ensures that the events most likely to cause the most damage are mitigated. Then if something does happen, in all likelihood it either won't cause much damage or the damage it causes is easily fixable.

Risks do not stay constant, however. Further threats emerge all the time. Organisations take on new projects, expand, acquire other companies and change their business processes in response to regulation, the market, other organisations or improved technology. They may start using outsourced services or cloud providers that need to be incorporated into the risk strategy. So a risk management strategy cannot stay constant for too long. Depending on the risks and the kind of organisation, various aspects of the strategy and IT assets will have to be monitored and altered when appropriate. A financial services company, for instance, might have to monitor its risk strategy with almost every transaction, while others may need to adapt policies only every six months or once a year.

Update, but not too often
If possible, says Carter, incidents should be used to update policy. However, “few organisations are able to successfully link real incidents that they suffer back to the risk management process. It's a missed opportunity for a feedback loop.”

Skybox Security's Cohen warns against updating the policy too often, though. “Staff are a vital part of risk management. Every time you make a change, you have to retrain them and you don't want to have to do that too often.”

Keeping staff and management onside also involves reminding them of the importance of what's being done, says Carpenter. “It's tough, but the best way to do it is to pick up a paper on a daily basis and show each group that vigilance is important.” Having an ‘information risk champion', such as the CSO or someone in the security organisation, to keep risk ‘on the radar' is something that Marvell recommends as well.

Risk management as applied to information security is not a panacea, nor is it an absolute science, but it potentially provides a more objective, more transparent way of dealing with the risks an organisation faces. If implemented well, it can also save money.

Case study: Ian Beale at Inchcape
Ian Beale joined international automotive retailer Inchcape in May 2007 as its director of risk and audit. His aim was to move the company from an audit-based approach to security and compliance to one based on risk management principles.

“Risk management is nothing more than good business management,” says Beale, who has since left Inchcape to join consultants Corporate Executive Board. “A large part of what I was trying to do was work with operational line management to understand, manage, mitigate and respond to risks.” Previously, the company's nine-strong audit team had focused more on compliance than risk, but under Beale's management and with the strong support and backing of Inchcape's CFO and CEO, the company and its operating companies “moved from a checklist approach, based on self-assessment or someone coming on site internally to see how well a unit was managing risk. We switched to working with them to take on board a much more active, risk management approach, in which risk was viewed as part of normal business and a natural part of any new project.”

The approach Beale took worked both at the operating company level and across the whole company. Beale and his team worked with MDs and FDs, as well as the various departments to understand how they were assessing the risk they faced, what they were doing about it and how well various departments were interacting with regards to risk. With the IT directors, he worked to identify the key risks to the organisation, determine what controls he expected to see and assessed how well the businesses were meeting each of those areas.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | All 5 Pages