The recent financial meltdown has led me to give some thought to information security risk management processes. After all, these originated in the financial community in the distant past. So where does this leave today's security practioner? Are risk management processes for IT security valid? Are we putting our businesses at higher risk for failures?
A recent article by Rene Stulz in the Harvard Business Review for March, 2009 identifies failures of financial risk management ("6 Ways Companies Mismanage Risk"). Here are his six items and how these ideas can be used to revisit risk management processes for IT security.
1. Relying on Historical Data. In the financial world, risk managers relied primarily on recent statistical data. Longer time perspectives might have given pause to risks being taken. In the IT world, the good news is that we don't have much data at all to use for statistical analysis. However, we are now at the 13th CSI Computer Crime and Security Survey; reported losses are down. Should we now relax and assume that technology has beaten the bad guys? I suggest that firms need to brainstorm on all possible security risks. Recent events would suggest that IT Risk Management needs to capture and document these low probability events, not just the "Top Ten" for which funding may be available. If funds are not available to mitigate low probability risks, at a minimum contingency plans need to be put into place.
2. Focusing on Narrow Measures. Business runs on metrics. However, metrics may not always capture the true risks. Although metrics are necessary for determining security effectiveness, it is too easy to rely on those. Are the metrics truly reflecting the external or internal risk environment? Since both of these may rapidly change with business conditions, we need the ability to implement measurement systems rapidly, with quarterly review of the applicability of the metrics.
3. Overlooking Knowable Risks. Risks can get ignored because they may be obscured in silos of the business. Although the IT Security function may report to the CIO, it is critical to make sure that all parts of the business are included in any information security risk assessment. Security risk assessments should be part of, or coordinated with enterprise risk assessment and functions.
4. Overlooking Concealed Risks. Business units may not report all information security gaps. It is the responsibility of the IT security function to set up relationships with all levels within each business unit, to make sure that risks are accurately reported.
5. Failing to Communicate. This issue concerns communication up, to the CEO, COO or security management committee. Even if accurate risk information is collected, it must be presented clearly to top management, in a way that makes sense to them. Otherwise, no action will be taken.
6. Not Managing in Real Time. Events can change faster than we can keep up. Mergers can take place; new business endeavours may start up. Risk assessments need to be revisited quarterly, and revised if necessary. A strategy of continuous improvement should be put into place, rather than a "big bang" risk assessment.
In summary, my critical take aways from this are:
- Importance of effective communications between IT security and all levels of the business
- Importance of continuous monitoring of risk
- Importance of thinking out of the box and addressing low probability events.
Hopefully we can all learn something from today's financial crisis in order to prevent a future information security event.