Chance assessment

Let's make one thing clear: a risk management programme is not the same as deploying an IT security initiative.

Simply put, risk management is about focusing security investment where the risk is greatest, but even that doesn't really do justice to the subtle mix of business, cultural and technological considerations involved.

According to Ken Lieberman, ex-risk and compliance manager at VISA and now a consultant in the field, professionals need to start thinking about risk in value terms.

"It's not a binary issue – am I secure or not – but a continuum, a constant dialogue with the business. The scenario is always the same: how much or how little can we stand to lose?" he says.

Many organisations still don't have a good understanding of what it is they're trying to protect, let alone a formal approach to working out the security risks. Security is just another type of risk in today's working environment, but one requiring careful and considered management. Thus risk management is going to be a big part of getting that part right.

Richard Keighley, principal consultant at the security consulting practice of Capgemini, says that whenever a customer asks him how much security they need he replies: "How much risk are you prepared to accept?" Risk management is about understanding what problems you may face and dealing with that risk in a coherent manner.

"This goes beyond network risk – we could be talking about environmental impact or health and safety consequences," he says.

Too often security implementation is driven by technologists in the company, broadcasting the latest perceived threat and a smart technical solution.

"The problem is that, unless a risk analysis exercise has been undertaken, there is the potential to overlook areas that really do need protection, at the same time as over-protecting others – with all the associated costs and restrictions that implies," says Dave Martin, managing security consultant at LogicaCMG.

It follows that risk analysis revolves around identifying what you actually want to protect, quantifying the impact on the business (such as loss of confidentiality, integrity or availability), assessing the levels of threat to the service and then deciding what protection is really needed and justified.

A slew of specialist terms and definitions have sprung up to help organisations do just that. But it still all boils down to knowing – and being able to demonstrate to others – that you know what your risks are and how you are dealing with them.

Risk management isn't just about IT. Kelly Schupp, security market manager at Micromuse (now part of the IBM Tivoli family of products) says: "Risk management today is about the integration of both IT and operations and getting away from the silo approach we've used too often in the past."

Nor does it mean all threats should be taken equally seriously – an approach that would soon drain your budget if carried to its logical extreme.

"A network might have 250,000 security rules – are they all equally mission critical? Of course not. The vast majority of existing controls may already mitigate them. The exercise here is to define what can really hurt, then take steps to reduce that potential for harm." says Ed Cooper, worldwide marketing vice president at Skybox Security.

Best practice in an existing security management framework dictates that, in order to work out what their risks are, organisations need to know just what information they need to protect and how important it is.

This is also known as the business impact – that is, what the unwanted consequences might be if a security incident occurs, such as information being disclosed or modified by an unauthorised individual, or being unavailable over a period of time.

Linked to this should be a list of the threats that exist to that information's integrity, including possible motivations of any attacker, their resources and their likely modes of attack, as well as less specific potential issues such as acts of nature and accidental damage. Finally, you should outline the organisational vulnerabilities that might be exploited.

Good risk managers will want to think not only about procedures for dealing with risk but also about whether they want to do anything at all. The decision will rest ultimately on how much risk the organisation is prepared to tolerate – hence the concept of risk appetite.

Not all of us look both ways every time we cross a road, nor get that bothered by a just-passed sell-by date on an item in the fridge and it's the same for enterprises, both large and small.

There are typically four ways to process and deal with risk. The first is avoidance – not doing the thing that gives rise to the risk in the first place, such as choosing not to do business over an insecure web connection.

Next is transference – making the risk someone else's problem. For example, passing it on to insurers or service providers.

Or you can attempt to reduce the level of risk. Examples might be using encryption for communications, restricting access to the server room or doing background checks on all new staff.

Finally, some organisations opt for acceptance – living with the fact that they can't, or won't, do anything to mitigate the risk, but clearly understanding and accepting the consequences of doing so.

Other key principles of good risk management include traceability between the risk and its treatment to ensure accountability: at the end of the day, someone has to own and be held accountable for a risk decision.

If any of this looks daunting, you might be tempted to look for comfort in adherence to standards. However, the ISO and BSI materials say "a risk management exercise should be carried out", but give little guidance on how and what such an exercise would look like.

Meanwhile, Sarbanes-Oxley legislation says not much more than there should be adherence to "reasonable controls" around risk management. PwC's own FAQs on risk management are equally bland: "To achieve its business objectives, management will want to ensure that sound risk management processes are in place and functioning." Well, yes.

The message is that standards are cool, but don't rely on them. "Standards are a great baseline, but all organisations have to bring something of their own to this to make it work," says Lieberman. "Can you afford to wait for something helpful in BS7799 Part 3 that may be a year off? Get working on this now is the better path, surely."

A firm like LogicaCMG offers an audit based on a matrix of around 30 likely common threats, from technology glitches to disasters like fire and flood.

"There's always a surprise. It's part of the fun of the job," says LogicaCMG's Martin. "One client's technical security manager said the issue was lack of board acceptance. So he showed us the email he was sending his boss and even I was lost in paragraph two, it was so dense. Another client hired two convicted hackers into his bank's development team on the new online banking project because they were 'nice guys'."

An audit can be a good place to start defining risk management objectives. But don't go to the extreme of producing tomes that won't ever be read. Focus on what can be understood by your peers and put to good use today.

"You just can't ignore this," says Shaun Fothergill, European Security and IT Strategist at CA. "Don't rely on standards. Be proactive and go and have the dialogue with the business people, find out what's important to them and base your response on that."

In the end, these technical aspects are of less interest to the wider business than a helpful metric as to why they should invest in any risk management initiative. Martin has a suggestion that you might find useful: "Ask how much the CEO is prepared to pay not to be on the BBC news tonight."