Addressing Risk Management Aversion
When I think of information security in the broadest sense, I immediately think of managing and mitigating risk. I know of no more appropriate way in which to view our discipline and have for years and years (largely due to my diverse background in consultancy organizations) struggled to understand why there is opposition to this point of view. Risk management is a widely accepted discipline within other industries, namely finance, but also within enterprise operational business models (often referred to as ‘enterprise risk management’ or ‘fiduciary risk management’). It pains me to no end that today, in the year 2010, there is still such an egregious misunderstanding of risk management within business. It worries me that there is so much opposition to asking and answering three very simple, yet insightful questions about one’s enterprise environment:
1. Do you have an Information Security Risk Management Program?
2. Describe it in Detail
3. Describe your Policy, Process, and Procedural Documentation, Security Awareness Training Programs, and your operational model as it pertains to your business line.
It troubles me deeply that there are so many misgivings with respect to the benefits associated and derived from proper management of risk. Companies need to establish a solid, comprehensive risk posture from which a security program and framework can be derived to meet the needs of the organization, both as a whole and on individual levels amongst business units and contributors.
So how do we change the perceptions of risk management within our industry? There are many ways to begin, though none are trivial. The process requires us to view, as industry professionals, the subject of risk management as a legitimate discipline or not. This is something which cannot be legislated, nor can it be faked. One either believes or sees the realities associated with being able to manage risk in qualitative and quantitative terms, or they do not. It is as simple as that. Risk management exercises (provided they are undertaken), are unique to the individual organizations endeavoring to learn from the process. These organizations rely on transparency and accuracy of data otherwise their yield is worthless as it neither reflects fact nor sustains it. Open, honest discourse related to the data brought to bear is essential to this process. Should this be found to be lacking, then the entirety of the process must be called into question with any and all data points being held under close scrutiny. This blog posting is not, in any way, meant to trivialize the process of risk management or over simplify the challenges associated with it. By no means! It is however, meant to be a catalyst for thought; a morsel for consideration which hopefully will (ideally), lead to more mature discussions and help remedy the madness which clouds and obstructs our collective vision.
July 23, 2010