Risk Management Skills
By Mark Zimmerman
We all cringe when we see a member of the executive management heading in our direction clutching a trade magazine with the latest WIBHI (Wouldn’t it be Horrible If) article highlighted. In order to help address this situation, we’ll discuss a topic that is, unfortunately, still only largely written about or discussed more than actually understood and/or implemented within the Information Technology department—Risk Analysis.
I’m talking about Risk Analysis skills at the day-to-day, rubber-meets-the-road implementation level, versus that once a year frantic exercise done a half hour before the auditor arrives. You know, the guy (or gal) who freaks everyone out by setting himself up in the conference room and calling people in to ask them to describe their job functions.
Gone are the days when “good enough” computer security was simply a factor of limited time and resources. Today, “good enough” has to be a factor of recognizing and determining where to concentrate resources, where they afford the most value and selectively de-prioritizing those that do not.
While everyone is enamored with the latest and greatest technical solutions, the largest value that can be afforded to a corporation and its IT department may well be Risk Analysis. You may think I’m overstating my case. You may think Risk Management is a trend bound to be eventually marginalized. Think again!
Is it more important to patch quickly or comprehensively? Can you achieve both?
At what point does IDS review no longer pay off?
What should my priorities be for capital and resources?
Risk Analysis can provide answers to these questions. You should know that those answers may differ significantly from the financial institution next door, but at least those decisions can be explained and justified plainly and succinctly using the universal-results reporting medium understood by all of upper management—money.
Okay, so Risk Analysis is not sexy. You can’t cause the same glazed look to appear on someone’s face by speaking of annual rates of occurrence that you can by mentioning cryptographic hash algorithms and OC-48 Synchronous Optical Networks, but wouldn’t it be refreshing to be able to justify that headcount or next security solution without having to trot out Alice and Bob, or having to define levels and dependencies of the ISO Model?
Plus you will be building a whole new level of respect for yourself and your department by making the effort to function in the world of business rather than perpetuating those prima donna stereotypes hiding behind those foreboding security access doors.
My point is, in today’s IT department, a foundational understanding of Risk Management is becoming just as important as technical knowledge. I’m not talking about being able to accomplish comprehensive audits and the ability to quote actuarial statistics, simply a firm understanding of the basic tenets of Risk Analysis and how it relates to everyday tasks. Add these to your team’s list of required knowledge and you will see a new level of consideration and cooperation afforded your efforts. Many companies accomplish this with a brief high-level training class.
If you want to know how a building is constructed, it’s best to talk to the architect. No one knows the business processes, information dependencies and data flows better than those who design, create and maintain them. When Verizon Business Security Solutions is contracted to complete a Risk Assessment for a customer, it’s necessary to first conduct comprehensive, in-depth interviews with key departments/individuals/etc.
Having the basic principles of Risk Analysis hardwired within an IT group’s standard operating procedures will make this process much more intuitive. The result will be to improve the quality of the compiled data and the decisions made as a result of the analysis of the data.
So next time the Network Engineers come calling asking for vendor training or to go to that conference in Vegas, tell them to add a Risk Analysis course to their list. And when the C-level exec climbs out of the elevator with wide eyes and the torn WIBHI article tucked into the back of his SkyMall, explain to him that you’ve already conducted a Risk Analysis on the scenario that is causing him to hyperventilate. He’ll be impressed–completely.
Tags: Information Security, InfoSec, reasonable control, risk
