- Tools & Templates
- Security Jobs
- Data Protection
- Identity & Access
- Business Continuity
- Physical Security
- Security Leadership
Measuring IT risk
One of the thornier issues in security risk management - but it's getting better all the time
What's the most-lamented difficulty in applying real risk management to security? Lack of hard numbers, of course.
Particularly on the digital side of security. The old "actuarial table" problem. We don't know precise probabilities, can't accurately calculate impact costs, boo hoo.
(I do love an old quote about this issue, attributed to Dan Geer: "The numbers are too poor even to lie with.")
But lots of people are chipping away at this problem. The bottom line is that there's no reason to throw up your hands and say it can't be done. Here is some of the coverage we've done on this question:
One of the key points both gentlemen make is that you can apply risk management principles now and improve your outcomes. Absolute precision and perfection isn't necessary. (What business decision-making process is demonstratively perfect anyway?) Hubbard argues convincingly that IT security is not as unique as is often claimed. Other disciplines have similar challenges in the risk measurement arena.
Hutton is a member of the Society of Information Risk Analysts (SIRA). He and other SIRA folks pitched into a recent discussion about 7 common risk management mistakes. If you haven't read that yet, do. You can fast forward your own program by avoiding the missteps others have considerately made for you. Don't replicate the audit department, don't confuse accuracy with precision, don't try to make a comprehensive risk register.
Really, go read it.
[Hey you! Get all CSO's ERM coverage with our new CSO Risk Management newsletter. Sign up now!]
And one last piece specific to IT risk: Are you using a formal risk assessment framework? Bob Violino wrote an overview of four of them - OCTAVE, FAIR, NIST RMF, and TARA.
Okay. That's a foundation of our coverage of this tricky and sometimes contentious IT measurement issue.
My initial thesis was that risk management needs to be more quantifiable, and more inclusive of multiple interconnected disciplines. Upcoming posts will provide new material on both those topics. Onward!
Thanks to cloud computing, your business data is everywhere and being accessed by everyone. Making the wrong decision to protect your data can result in high costs, increased risk and executive exposure. View this live webinar on cloud security and the evolving data center, and learn why a data-centric approach to security is the best bet for today's virtual environment.