Embedding Sound Risk Management Practices into an Organization
Core principles for risk management adoption within an organization.
In information technology, it's next to impossible to separate the disciplines of data/network security and risk management, at least on the planning level.
Aside from massive power failures or just plain dumb software, the greatest IT risk most companies face is a security breach. Managing this effectively has to start with a cost-benefit analysis of how likely a security breach might be, how damaging the reality of a breach would be, and how much it will cost to consistently mitigate against it - and that's the soul of risk management.
A piece at Gov Info Security puts a risk management focus on the latest wave of proposed federal cybersecurity legislation coming before the Congress.
The post focuses on an interview with Andy Purdy, a cybersecurity strategist and veteran of the Bush administration, who positions the Obama administration's desire to gathering data and best-practices ideas from big corporations as a kind of risk-assessment tool. If the government can't monitor for risk, how can it possibly take an effective risk-management approach to securing the nation's computing systems?
Perhaps it's not surprising then that, as our own Sue Marquette Poremba reports, a lot of IT folks who opposed the controversial Stop Online Piracy Act (SOPA) are seemingly pretty OK with the fed's latest foray into cyber-legislation. From a technical risk-management perspective, it makes a lot of sense. (As Sue notes, it may also ease the liability burden on companies for turning over personal date to the government, but that's another conversation - mostly.)
The mostly private owners of the critical IT infrastructure have a legal obligation to safeguard their investors' interests, but those fiduciary goals could be in conflict with the nation's need to assure the flow of electricity or water or money. Risk management involves weighing costs versus benefits, and the benefits to a shareholder may not be the same as the benefits to a citizen.
Such conflicts of interest can be found in even small businesses, and speak equally to the need for central risk management. Sales has its numbers to meet, and lowering barriers to importing as many leads as possible won't seem like much of a risk in their world. IT and legal, however, want those gateways to the network locked up seven ways to Sunday.
Wherever risk management lives in the organization, it needs to have a complete view of the system and all the costs and benefits that determine acceptable risk. When setting IT security strategy, that may well mean folks other than IT should be crunching those numbers.