The first step to managing risk is to identify the
dangers to your organisation
Risk management can be an incredibly dry topic, but managing risk
is something we do every day of our lives.
Risk assessment is a part of that process, and mitigation of risks,
vulnerability or threat assessment and asset identification are
also all part of risk management - and each of us do them to some
extent on a daily basis.
Last week I entered an uncontrolled area, identified a significant
threat to one of my tangible assets and mitigated that risk by
putting the bread knife in the kitchen drawer so my three-year-old
could not cut herself. We do that type of risk management thousands
of times without thinking, but when we us are asked to take a
similar view of our business lives, most of us do it selectively at
best.
Unfortunately, risk is not as selective. Your business is at risk
in many ways and the threats which can strike as a part of these
risks are constantly evolving.
Defining risk has always produced varying and challenging answers.
I think the best definition of risk is as follows: "Risk is the
likelihood of a given threat source exercising a particular
potential vulnerability and the resulting impact of that adverse
event on the organisation."
Risk management is misunderstood so much that the terms are often
interchanged: threats, risks, vulnerabilities, likelihood, impact,
weaknesses, probability. Many risk assessments only address part of
the problem and this accounts for how many times we are caught out
by an unexpected risk.
In the words of Monty Python, "No one expects the Spanish
InquisitionÉ" Well I do, and I expect lots of other bad things to
happen too, so it is a relief when they do not. Risk management is
simply the process of identifying, evaluating, controlling and
mitigating risk.
So, the boy scout approach is the only way forward, but how do we
go about changing generations of mismanagement and
misunderstanding? Businesses seem happy to be slowly pushing back
the boundaries of what they feel is acceptable without appropriate
defences. There are still many ways businesses could be seriously
hit, and the only reason these events are not commonplace is
because their probability is extremely low.
Conveying the message can be a little bit like walking around
wearing an "end of the world is nigh" sign and belief certainly
wanes when the predicted events do not occur.
I have observed over the years that not all security managers are
well versed in risk management. In many cases, risk assessments are
conducted on an ad hoc basis and only within certain parts of the
business.
Another key factor to effectively managing risk is to ensure that
the cost and levels of protection are commensurate with the value
of the asset. A precursor to this is asset identification. After
all, it is not possible to protect something if you do not know it
exists.
Throughout the UK and Europe too many firewalls and anti-virus
systems are implemented without proper risk assessments taking
place. Instead, assumptions are made or previous bad experiences
are recounted and the product is purchased and put in place.
Firewall and anti-virus products are the only accepted technologies
modern businesses do not really challenge. Firms accept there is a
risk. They certainly have seen and possibly even experienced not
being protected and therefore consider such products as essential.
Unfortunately, many businesses are dreading to hear about the next
technology that qualifies in the "absolutely must have"
category.
As the threats are evolving and increasing, the potential impact
increases as we become more reliant upon technology. Many of the
peripheral technologies such as intrusion detection and prevention
systems, virtual private networks, biometrics, content scanning and
firewalls are all rapidly becoming "must haves".
The reality is that we do not just assume we need the essentials of
security. We must conduct a proper risk assessment before
allocating our IT and security budget.
What most companies will find when doing so is that they can
justify a firewall and anti-virus software because of identified
risks, but they will also have identified some of the other
technology requirements listed above. What the industry has to
convince business leaders of is the need to go back and conduct
this process for better understanding.
Phil Cracknell is chief technology officer at IT security
supplier Netsurity
