The first step to managing risk is to identify the dangers to your organisation
Risk management can be an incredibly dry topic, but managing risk is something we do every day of our lives.
Risk assessment is a part of that process, and mitigation of risks, vulnerability or threat assessment and asset identification are also all part of risk management - and each of us do them to some extent on a daily basis.
Last week I entered an uncontrolled area, identified a significant threat to one of my tangible assets and mitigated that risk by putting the bread knife in the kitchen drawer so my three-year-old could not cut herself. We do that type of risk management thousands of times without thinking, but when we us are asked to take a similar view of our business lives, most of us do it selectively at best.
Unfortunately, risk is not as selective. Your business is at risk in many ways and the threats which can strike as a part of these risks are constantly evolving.
Defining risk has always produced varying and challenging answers. I think the best definition of risk is as follows: "Risk is the likelihood of a given threat source exercising a particular potential vulnerability and the resulting impact of that adverse event on the organisation."
Risk management is misunderstood so much that the terms are often interchanged: threats, risks, vulnerabilities, likelihood, impact, weaknesses, probability. Many risk assessments only address part of the problem and this accounts for how many times we are caught out by an unexpected risk.
In the words of Monty Python, "No one expects the Spanish InquisitionÉ" Well I do, and I expect lots of other bad things to happen too, so it is a relief when they do not. Risk management is simply the process of identifying, evaluating, controlling and mitigating risk.
So, the boy scout approach is the only way forward, but how do we go about changing generations of mismanagement and misunderstanding? Businesses seem happy to be slowly pushing back the boundaries of what they feel is acceptable without appropriate defences. There are still many ways businesses could be seriously hit, and the only reason these events are not commonplace is because their probability is extremely low.
Conveying the message can be a little bit like walking around wearing an "end of the world is nigh" sign and belief certainly wanes when the predicted events do not occur.
I have observed over the years that not all security managers are well versed in risk management. In many cases, risk assessments are conducted on an ad hoc basis and only within certain parts of the business.
Another key factor to effectively managing risk is to ensure that the cost and levels of protection are commensurate with the value of the asset. A precursor to this is asset identification. After all, it is not possible to protect something if you do not know it exists.
Throughout the UK and Europe too many firewalls and anti-virus systems are implemented without proper risk assessments taking place. Instead, assumptions are made or previous bad experiences are recounted and the product is purchased and put in place.
Firewall and anti-virus products are the only accepted technologies modern businesses do not really challenge. Firms accept there is a risk. They certainly have seen and possibly even experienced not being protected and therefore consider such products as essential. Unfortunately, many businesses are dreading to hear about the next technology that qualifies in the "absolutely must have" category.
As the threats are evolving and increasing, the potential impact increases as we become more reliant upon technology. Many of the peripheral technologies such as intrusion detection and prevention systems, virtual private networks, biometrics, content scanning and firewalls are all rapidly becoming "must haves".
The reality is that we do not just assume we need the essentials of security. We must conduct a proper risk assessment before allocating our IT and security budget.
What most companies will find when doing so is that they can justify a firewall and anti-virus software because of identified risks, but they will also have identified some of the other technology requirements listed above. What the industry has to convince business leaders of is the need to go back and conduct this process for better understanding.
Phil Cracknell is chief technology officer at IT security supplier Netsurity