In my first part of this series on [risk management], I discussed some basic reasons for moving from a reactive security state, constantly putting out fires with point solutions that may or may not integrate with each other, to a plan based on risk analysis. But that risk analysis can be complicated, and while planning is important, over-planning and “paralysis by analysis” can be as bad as none at all. A precisely quantified risk analysis is difficult to create and is the kind of report that tends to be outdated by the time it is completed in any case. A quick and dirty approach can provide some guidelines, and it can be refined and repeated fairly often to keep the plan up-to-date.
The object of the risk analysis is to establish a maximum business cost should each potential event actually happen. This then can be compared to the cost of different mitigation approaches to arrive at an optimal strategy that mitigates the risk to a level that the business can accept without spending more money on mitigation that the risk is worth. This allows the planner to maximize the limited resources available. Without an analysis, the tendency is to over-invest in some areas and, consequently, under-invest in others (or ignore them completely until an emergency develops that catches everyone by surprise).
Several factors go into any risk management analysis. The main ones are the maximum business cost of each potential exploit; the likelihood of each possible event; and the comfort level of the enterprise as a whole. So the first step in the program is to identify and roughly quantify these for each risk. However, before starting this, review the list of risks and eliminate any that:
- Do not come under the purview of the planner's responsibility (e.g., physical building security, HR risks).
- Are trivial and therefore do not need mitigation.
- Are beyond the organization's ability to survive, or that are so large that the IT damage is a trivial concern (e.g., dead of the owner of a sole proprietor business, regional disaster for a small business).
This allows the planner to focus on those risks that require attention and can be mitigated.
Once this is done, a rough analysis can be performed in a three-step process:
- List and rank relevant risks according to business cost, likelihood of the event, and the corporate risk comfort level. Like everything IT does, risk management needs to be based on business strategy.
- Select the best mitigation strategies based on price versus potential loss: While IT usually turns to technological solutions to mitigate technological risks, other choices exist, and some risks are not amenable to technological solutions. Personnel risks are best mitigated by strong management practices including investing in management courses for IT managers. Disaster mitigation certainly should include insurance as well as DR. Outsourcing, either to traditional outsourcers or to Cloud vendors, is another way to mitigate risk by shifting it to the service provider. In any case, the cost of the mitigation technique should not exceed the potential loss.
- Develop a multi-year strategy: No IT organization has the resources to do everything in a single year. A realistic strategy identifies what needs to be done now and what can or may have to be put off to another day. This may mean partially mitigating risks this year and then upgrading over the next two years. The plan has to accept that the enterprise will never be completely safe; that sometimes an exploit will succeed or a disaster will strike regardless of what methods are done. The goal is to decrease the number of these events and to limit the damage when they do.
Finally, present the plan to senior management and get their response. They need to know the extent of the major risks the organization faces and what is being done to mitigate those risks. This needs to be presented in business terms and focus on costs versus benefits. Leave the technical discussions of how to mitigate the problems in the IT department.
In the third part of this series I will take a closer look at some of the issues involved.
Action Item: Use a quick-and-dirty approach to quantifying the business cost of each important risk that comes within the security officer's purview, and then multiply that by the likelihood of the event, all modified by the effects of mitigation methods already in place. Then identify the amount that each needs to be reduced to meet the corporate risk comfort level. And rank them accordingly. Identify the cost and mitigation level provided by each of the possible strategies and compare that to the potential loss to arrive at an optimal mix of mitigation strategies. Finally compare the costs of mitigation to the resources available and develop a multi-year plan to bring the risk level in line with business strategy, and present this to senior management and, in large enterprises, to divisional and line-of-business heads.
Footnotes: