One pearl of wisdom I particularly like is “never say no, put a price on yes.” I apply this a lot in my work because, IMHO, the very worst thing a security manager can do is refuse to sign-off on a request without communicating the risks, advocating alternatives, or stating what can be done to mitigate risks associated with the request down to an acceptable level.
We shouldn’t be slaves to policy – the landscape is changing fast and current business requirements are often outside what was originally considered when some of those dusty old policy documents were first conceived. As we seek to become more dynamic and take advantage of social networking, virtual worlds, VoIP services etc while also trying to make some sense out of where all our business identities are, we need to bring our ideas about risk management up to date and make sure that we are being pragmatic, doing our research, and above all, effectively communicating risk. That should include revisiting policy and putting a price on saying “yes” through following process based risk assessment and mitigation procedures.
I try to get around some of the challenges by advocating a risk-profile based approach to policy: i.e. there is a minimum baseline standard that applies across the board with an increase in the time, effort, and cost associated with controls as the risk profile increases. The challenge comes in assigning the right profile. I generally take a simple formula as follows:
risk profile = revenue * importance * data loss impact potential
It’s not perfect science and there is a degree of subjectivity in the assessment but it’s good enough. Remember, the most important thing is to reduce and manage risk: we can’t eliminate it.
Let me know if you agree or disagree.