Firms realize that playing it safe is the riskier option

Share this article:

Over the past few months, however, my university and I have been negotiating a massive risk assessment/ analysis with follow-up management for a year. We are proposing FARES (Formal Analysis of Risks in Enterprise Systems), an entirely new paradigm. As readers of this column know, FARES is about as far from the current state of the practice as it's possible to get and still be doing risk management.

But the sponsor, after thoroughly surveying the risk management landscape and trying many risk analysis products, decided this was the only answer. Why? Because there is absolutely nothing else that will manage risk in a network of this size and complexity, regardless of what the vendors say.

For the first time, in my experience, an organization was willing to risk a new approach simply because it was prepared to admit that all of the other methods being offered don't work.

The big consulting companies present old wine in new bottles and off they go, doing the same old thing but with a new batch of brochures and marketing hype. And the results? Well, I once had an email tag line that said "If you keep going where you've always gone, you'll end up where you've always been."

Now that some of that realization is sinking in, big organizations are getting ready to take a risk or two and try something that shows a lot of promise for solving problems that have never really been solved before.

There still are some providers taking advantage of the old FUD-factor that "nobody ever got fired for buying [insert vendor here]." When that happens everyone loses. For example, consider the recent FBI database debacle. How many times have we seen similar failures in the past?

If you are going to implement a major information security project, new or old paradigms aside, manage the project, assess the risk and manage the risk. Will the project complete on schedule? How do you know? Will it be on budget? How do you know? If you can't answer, even if you are willing to seek innovative solutions to tough information-assurance problems, you're headed for far bigger problems from the project itself.

Peter Stephenson is director of information assurance for CeRNS, The Center for Regional and National Security, at Eastern Michigan University

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.