This article can also be found in the Premium Editorial Download "Information Security magazine: Does security make the grade in Windows Server 2008?."
Download it now to read this article plus other related content.
Risk management brings you closer to the business, but you must understand that risk is not a numbers game.
Terminology inflation represents a positive trend in this case. It is indicative of a legitimate broadening of perspective and improved alignment with the business.
Security is a specialized task, a narrow focus on a specific set of vulnerabilities that can potentially be exploited by humans. In practice, most security specialists exceed the narrow definition, paying some level of attention to integrity and availability, along with confidentiality. But risk management is a generalist approach, encompassing security and going well beyond it, trying to understand the totality of unwanted things that could happen, and setting preventative
Whatever particular information-related concern you may be tasked to deal with, you'll never be able to manage it appropriately if you don't understand where you fit into the big picture, and why info-security is increasingly being described as a risk management function.
A common misunderstanding of risk management is that it always involves statistical quantification of risk (the current global financial system crisis once again shows the folly of believing that a sufficiently complex statistical model can eliminate risk). In fact, risk management processes are generally qualitative, and most organizations would be well on their way toward infosecurity maturity if they could accurately identify their top one-fifth most sensitive servers.
Risk management is a process-oriented method, choosing decision models that work with the available information. In today's world of sophisticated malware and ubiquitous connectivity, this means ensuring all systems have some baseline of protection. It also means identifying information that is especially critical to meeting business goals, including regulatory compliance, and finding cost-effective ways to exceed the baseline level of systems protection. For many companies, data leaking from inside is finally being recognized as the type of information risk that most needs addressing.
A growing number of organizations are finding that risk management techniques, usually qualitative ones, are not only an effective way to determine priorities, but naturally lead to a closer relationship with the business. New technology continues to bring new exposures, and both regulatory and contractual requirements continue to increase, sometimes in incompatible ways. As life continues to get more complex, we have to grow correspondingly complex in our efforts to reduce losses. If we don't want to be marginalized, we have to communicate in a language that resonates with the business. The business managers don't speak security; they speak risk.
This was first published in February 2008