Risk specialists and IT staff need to work together -
mutual support is vital to protect business information, says
Jeremy Ward.
New international legislation and regulation, such as Basel
2 and Sarbanes-Oxley, states that if you do not have adequate
mechanisms for controlling and auditing the flow of information in
your company, you will incur penalties.
This has caused people responsible for operational risk to wake
up to the fact that IT is important for information flow and
auditing.
At the same time, IT people have realised that to understand their
job, they ought to know a bit more about the business impact
associated with the assets for which they are responsible. As a
result, the previously separate orbits of operational risk and
information security have begun to overlap.
Unfortunately, each party seems to treat the other with suspicion.
Both seem to be fighting over this concept of "risk". Operational
risk specialists feel they are the experts in this area, but
information security people feel that operational risk people do
not understand information security risk. So who is right?
Preserving the confidentiality, integrity and availability of
information involves people, processes and systems. Failure of
these would certainly increase the risk of loss, so information
security can clearly be seen to constitute an important factor in
the control of operational risk. In this sense, information
security might be seen as contributing to operational risk
management, but playing a subordinate role.
However, information is fundamental to the operation of any
business. It is impossible to run a successful business without
detailed and specific information, and if you cannot trust the
confidentiality and integrity of this information, your business
will not survive.
In the wider sense operational risk management is contingent on
good information security. In turn, security may be seen as
conditioning operational risk.
The problem lies in the understanding of risk. Operational risk
specialists spend their professional lives thinking about what it
means to the business in terms of consequences and costs, but
information security has a poor track record of speaking
meaningfully about risk in this way.
Traditionally, security specialists in the IT department think
about the risks to the bits and bytes, but not about their
criticality to the business overall. By contrast, operational risk
specialists have existed at a more rarified level, unlikely to
consider the consequences of the failure of the information on
which businesses depend. In the newly regulated world, these two
levels of understanding must come together.
Specialists in operational risk and information security cannot
afford to fight about the ownership of risk. They must agree to a
contract of mutual support. Operational risk managers need to know
more about the threats to networked assets, and IT security leaders
need to understand more about how to determine the business
criticality of the assets for which they are responsible.
What do you think?
How strong is your understanding of operational risk and
security?
Tell us in an e-mail >>
ComputerWeekly.com reserves the right to edit and publish
answers on the website. Please state if your answer is not for
publication.
Jeremy Ward is a consultant at
Symantec