Taking the risk out of IT risk management
Taking the risk out of IT risk management
Whether talking about IT systems and data -- or financial, credit and leverage operations -- gaining an understanding of risks to an enterprise and then managing them properly is critical to virtually every business or organization.
Developing an understanding of risks that pose real threats to information and to IT systems requires more than just using the right risk management framework. It also requires that the risk management team describe the risks and their potential impact in a way that senior management can understand and act upon.
Benefits to the organization of effective risk management include gaining a better understanding of the means prioritization. All risk events are not equal in terms of their effect on an enterprise -- an effective risk management programs can expose those with the greatest potential impact. For example, assets such as customer lists and design specifications are often highly valuable to an organization. Infrastructure such as application servers and database servers that support critical business processes, such as accounts receivable or manufacturing, also can have a high value to the organization. Other information assets and infrastructure related to non-core aspects of the business may have a much lower value. Focusing on the highest priority enables more effective remediation efforts, effectively resulting in reduced risk to the organization.
The variety of risk events facing IT organizations are daunting. IT risk management professionals must consider possible security incidents and breaches, the insider threat, criminal attacks, natural disasters, and all manner of others.
Challenges in effective risk management
Obtaining buy-in from senior management is perhaps the most critical prerequisite for effective IT risk management. Key to obtaining this is communicating to senior executives in language they can understand. Senior management generally understands innately the concept of risk to the business, but they typically don't want (or need to) understand arcane and subtle differences between things like weaknesses, vulnerabilities, threats, and attacks. What senior management typically does want is to ensure that an information technology risk analysis process:
- Is done with thoughtful consideration of all possible risk events,
- Leverages domain expertise and what useful security metrics exist to determine event probabilities,
- Leverages business owners' knowledge of their operations to consider the impact of various risk events to the business in a meaningful way,
- Introduces as much objectivity and precision as possible into the risk analysis process,
- Produces prioritized output to guide executive decision making on risk management,
- Can be communicated, in terms of its findings and recommendations, in clear and understandable language.
Improving the risk management process
Numerous risk management frameworks exist to help IT risk management professionals structure their risk analysis efforts. Quantitative and qualitative approaches each have their merits, and risk management frameworks and methodologies including FAIR, FIRM, OCTAVE, FRAP, CRAMM, and others, all provide value by structuring the risk analysis process.
Whatever risk management framework is used, one criteria of success is that the team assembled to assess risk includes appropriate experts from both the technology side as well as the business side. Domain experts are best suited to understand the technical risks facing the organization's IT systems. Participation from business owners is also required, as they will have the best handle on the impact of various threat events actually occurring.
Communications among technical experts and business owners, and ultimately to the senior management to enable risk decision making, has been problematic for many organizations. For example, a commonly used risk equation is:
Risk = (Threat * Vulnerability) / Controls
Among other problems, this formula doesn't bring in the impact of a given risk occurring, which is of utmost importance to senior management. In addition, it isn't clear if “threat” means the level of force being applied by the attacker, or the frequency of event occurrence, or some product of both force and frequency. A common shortcoming of existing risk management frameworks has been the lack of rigorous taxonomies that describe not just the terms, but also the relationships between the various risk elements.
To help improve this situation, the Open Group Security Forum has developed a standard risk management taxonomy and is working to define additional standards in the area of risk management methodologies. The risk taxonomy standard aims to improve things by clearly defining the terminology used in risk management and by defining the relationships between terms. The standard provides definitions for such critical terms as Risk, Loss Event Frequency, Probable Loss Magnitude, Threat Event Frequency, Vulnerability, Primary Loss Factors, Secondary Loss Factors, and many others. The figure below depicts some of the key components of the risk taxonomy:
The objectives of the Open Group risk management taxonomy standard are to:
- Educate information security, risk, and audit professionals,
- Enable a common language for the information security and risk management profession,
- Introduce rigor and consistency into analysis, which sets the stage for more effective risk modeling,
- Explain the basis for risk analysis conclusions,
- Strengthen existing risk assessment and analysis methods,
- Create new risk assessment and analysis methods,
- Evaluate the efficacy or risk assessment and analysis methods,
- Establish metric standards and data sources.
The IT risk landscape is ever-changing. The architectures used to support IT operations are continuing to rapidly evolve, with virtualization, service oriented architectures, Web 2.0 applications, outsourcing of IT and business processes, and cloud computing all changing the way in which information is produced and consumed in an enterprise. Each of these new architectures introduces new vulnerabilities, new threats, and new risks, making effective risk management even more critical. Recent developments like the risk taxonomy standard from The Open Group may help move the risk management profession forward and to establish new approaches to risk analysis and communication.