Why Risk Management Fails in IT
It is frustrating to see the amount of budget allocated to compliance when you consider that most of the money goes to documenting security controls, not improving defenses. One of the biggest reasons is that risk management, a carry-over from the bigger world of business, does not work in IT security.
Tue, October 16, 2012
Network World — It is frustrating to see the amount of budget allocated to compliance when you consider that most of the money goes to documenting security controls, not improving defenses. One of the biggest reasons is that risk management, a carry-over from the bigger world of business, does not work in IT security.
While few small businesses have formal risk management programs, most large business do. They even have risk committees that are drawn from the board of directors, often headed up by the CFO. The goal is to identify risks and either reduce their potential impact with compensating controls or purchase insurance to further reduce the business risk.
SECURITY ROUNDTABLE: See it, protect it, control it
For example, a large airline, thanks to its risk management program, may recognize rising fuel prices could hurt its competitiveness and decide to hedge fuel on the open market, or a car manufacturer that has gone too far down the path of Just-In-Time supply may start to warehouse critical components in case a supplier in Thailand is wiped out by a flood.
But try to translate risk management theories to IT and you run into troubles. Every risk management program starts with the dictate to identify all IT assets and weight them based on their criticality to business operations. That leads to the first big problem.
1. It is expensive and almost impossible to identify all IT assets.
While at first glance identifying assets appears to be a simple problem, it is actually extremely complex; almost fractally complex. IT assets include every computer (desktop, laptop, server, print server), every application (database, email, ERP), every data set (customer lists, earth resources data, product pricing guide), all email, all documents in all versions, al identities and all communications.
Now, add in the proliferation of devices coming in with consumerization -- smartphones, iPads, even e-readers -- and the data that reside on them. Then add in the dynamic nature of the cloud, where servers can be in a constant state of flux as load is elastically met with more or fewer virtual machines. Like I said, it's complicated.
The next big problem?
2. It is impossible to assign value to IT assets.
The concept behind risk management is that you assign a value to each asset. There are many algorithms for doing so. It usually involves a cross-functional team meeting and making at least high-level determinations. But it is obviously impossible to assign a dollar value to each IT asset. Is it the cost of replacing the asset? That might work for a lumberyard, but an email server might have a replacement value of $2,000 while the potential damage to a company from losing access to email for an extended period could be millions of dollars in terms of lost productivity.