Is risk management just a trendy term in information security or is it here to stay?
Is security a risk management task? Is it even compatible with risk management? It's surprising how contentious these questions can be. Perhaps even more surprising is that talented and experienced people on both sides of this argument are unaware that so many others have a diametrically opposed opinion. So what's the answer?
Certainly, security must have something to do with risk. The classic formulation, Threat x Vulnerability = Risk, is one that skilled practitioners admit expresses some truth, and we typically speak in terms of doing risk "assessments." There is no doubt that dealing explicitly with risk is an integral part of security. So why not characterize this as "risk management?"
For one thing, it brings a lot of baggage with it. If it wasn't a buzzword before, all the hype associated with compliance has made it one. If it wasn't bad enough that we allowed some spin doctor to replace the perfectly serviceable and accurate "computer security" with something pretentious and imprecise like "information security," we compound the error with another pretentious and cynical attempt to raise our corporate status. A Johnny-come-lately approach to yet another business fad is only going to raise false expectations and reduce our stature lower than it already is.
But what if it isn't a fad, and something that's here to stay? What if the business is so keen on risk management that it's been waiting for us to catch up? Maybe organized attempts to manage risk really can legitimately be grouped under the banner of some sort of greater risk management discipline. After all, the basic concepts are identical.
Risk management involves understanding how likely it is that something bad will happen, and making decisions about risk and control activities such that some sort of economic optimization is reached. Couldn't it also be the case that the risk management banner is the most effective way to try to create some alignment and common structure to related processes like personnel and IT security and disaster recovery? If the business is asking us to help it make good decisions, shouldn't we want to accommodate it? Why wouldn't an information security professional want to sing from the same score as everyone else?
Concerns that we will do a trivial job of it, or that rote bureaucratic process will overcome security substance, are valid. And the expectation that risk management requires a belief in the precise quantifiability of business is often a stumbling block, but a needless one. The one thing that formal risk management does not imply is that there is any such thing as certainty in business--quite the opposite. Mature and effective risk management is about using the most appropriate tool for the job, not about using the one that provides answers in the most politically correct form.
I agree that the only thing worse than not aligning ourselves with the rest of the business would be to just pretend to do so. However, I don't agree with the argument that the information security profession will be better off by ignoring the growing trend toward a more formal approach to risk management across the entire organization.
At a minimum, there is a lot that we can learn from the other risk silos. More importantly, it is increasingly expected of us that we make a serious effort to align ourselves to business goals, including the operational risk management agendas. A decade from now, when we look back at this transition period, we'll wonder why we hesitated.