Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Layer8: Applying numbers to risk management

Quality Counts, Not Quantity

Risk management brings you closer to the business, but you must understand that risk is not a numbers game.

When I started in IT the late 1980s, the discipline of protecting computers was unambiguously referred to as computer security. In the mid '90s, we had heated discussions over the appropriateness of the term information security. Just a few years ago, most of the vendors that had earlier touted their wares as infosecurity products decided to reposition themselves as being in the compliance business. At about that same time, I caught flak for using this column to suggest security was a risk management function. Now the term du jour is GRC, an unpronounceable acronym standing for governance, risk and compliance.

Terminology inflation represents a positive trend in this case. It is indicative of a legitimate broadening of perspective and improved alignment with the business.

Security is a specialized task, a narrow focus on a specific set of vulnerabilities that can potentially be exploited by humans. In practice, most security specialists exceed the narrow definition, paying some level of attention to integrity and availability, along with confidentiality. But risk management is a generalist approach, encompassing security and going well beyond it, trying to understand the totality of unwanted things that could happen, and setting preventative priorities.

Whatever particular information-related concern you may be tasked to deal with, you'll never be able to manage it appropriately if you don't understand where you fit into the big picture, and why info-security is increasingly being described as a risk management function.

A common misunderstanding of risk management is that it always involves statistical quantification of risk (the current global financial system crisis once again shows the folly of believing that a sufficiently complex statistical model can eliminate risk). In fact, risk management processes are generally qualitative, and most organizations would be well on their way toward infosecurity maturity if they could accurately identify their top one-fifth most sensitive servers.

Risk management is a process-oriented method, choosing decision models that work with the available information. In today's world of sophisticated malware and ubiquitous connectivity, this means ensuring all systems have some baseline of protection. It also means identifying information that is especially critical to meeting business goals, including regulatory compliance, and finding cost-effective ways to exceed the baseline level of systems protection. For many companies, data leaking from inside is finally being recognized as the type of information risk that most needs addressing.

A growing number of organizations are finding that risk management techniques, usually qualitative ones, are not only an effective way to determine priorities, but naturally lead to a closer relationship with the business. New technology continues to bring new exposures, and both regulatory and contractual requirements continue to increase, sometimes in incompatible ways. As life continues to get more complex, we have to grow correspondingly complex in our efforts to reduce losses. If we don't want to be marginalized, we have to communicate in a language that resonates with the business. The business managers don't speak security; they speak risk.

Article 14 of 16

Dig Deeper on Data privacy issues and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All