Making Sense of Risk Management in the IT Security Field: Risk Management and Security Series, Part III
There is an intrinsic relationship between risk management and security metrics. I don't believe that an organization can have a solid risk management program without first having a solid set of security metrics to work from.
Risk management is identifying, quantifying, and managing risks. How can you properly quantify something without some real numbers that make sense?
But before you start investigating all the available risk management methods and models out there, and before you start to think about the metrics that should be developed within your organization, save yourself some timefind out what is currently going on.
When I am working with a new client, I never walk in the door with just one risk model to work from. Before I shake one person's hand at a customer site, I know that the organization already knows and understands risk. The company understands business risk, but not necessarily information security risk.
Most organizations are already working within some type of business risk model. If it is a for-profit company, for example, it has to have a certain risk appetite set and understand its own risk universe. Its risk model helps them make decisions about whether the company should purchase another company, whether a new product should be developed, whether a layoff should take place, and so on.
Most organizations are already mature in their understanding and dealings with riskbut not from an information security perspective.
So if I walked in the door with just one risk model and it does not fit my client's current business risk model, we are setting out a track to waste a lot of time and money. Information security risk is just one type of risk and it needs to "roll up" into the organization's overall risk program.
Let's dissect this piece a bit. Who are responsible for risk within an organization? Executives. Who hold the purse strings within an organization? Executives. Who need to understand what the company's current security posture is and what it should be? Executives.
Now let's say that the executives of the organization currently use Balanced Scorecards to understand and discuss risk as it applies to the company. If I come in and set up a risk management model that uses a rating system of 110, a color-coded scheme (red, yellow, green), or a four quadrant approach, how do they equate to Balanced Scorecards? They don't.
You can set up a full information security risk management program, and if it does not directly relate to the current business model it will forever stay in a silo. The executives will never understand what is going on within the world of information security as it pertains to their organization.
On the other hand, if I walk in with a risk management solution that is based on Balanced Scorecards, and my client's current risk methodology is qualitative and the client uses a rating system, we are in the same position.
We will forever be struggling to communicate by using two totally different languages. You need to find out what language the executives at your organization use and integrate it into your risk management program and ultimately your security metrics.
I have no doubt that many of you who are reading this work are in organizations that are in the process of setting up a risk management program. I say "in the process" because most organizations chase their tails when it comes to risk management, spend a lot of money on trying to accomplish it, and have no real end in sight.
Find out whether there are discrepancies between your organization's business risk model and your information security risk model.
These discrepancies are common for a few reasons:
- A consulting firm was brought in that works from only one boiler-plate risk model.
- Someone who does not understand the business side of the organization is developing the information security risk management program.
- There are no clear cut "how to" directions to follow when it comes to setting up risk management programs.
- There is a lack of risk methodology standardization within the industry.
- The information security risk management program is being set up with only technology in mind.
Depending upon the level of the food chain you reside at and the size of your organization, finding out what risk model the business side of the house uses may be a bit challenging.
If you are in a CSO, CISO or C-level position, it will be relatively easy because you can easily communicate with the CFO on this.
If you are at a lower position within your organization, you may need to convince your security officer to find this information.
I have worked within small private companies in which anyone and everyone was available to answer my questions as I needed them. And I have worked in some of the largest corporations that were filled with barriers between me and those who had the answers I needed.
You are in your own company maze and you must figure out how to navigate.
Stay tuned for Part IV!
For more information visit http://www.logicalsecurity.com.