Pinning Down the Numbers

For IT, the challenges of the risk-based security model are as familiar as they are thorny. For starters, the CIO or security officer must establish an ongoing relationship with key business units, for fact-finding and to stay abreast of changing risks. Moreover, the essential need is to quantify that which may resist quantification; assigning a risk factor, and in particular loss estimates, to a new product or partnership is hardly an exact science.

One aspect of the risk-based model may take some getting used to for IT: As information security ceases to be a stand-alone entity and is instead absorbed into the larger risk picture, responsibility for it may be pulled from the technology group. "We believe 30 percent of [Gartner's] client base has taken infosec away from the CIO," Byrnes says.

Indeed, the most advanced form of risk-based security, dubbed enterprise risk management, is being pushed hard by the large auditing firms. Many businesses that have gone whole-hog into ERM (including virtually all financial services companies, according to Byrnes) have named chief risk officers who report to the CEO or even the board of directors.

Tim Maletic, information services security officer at Grand Rapids, Mich.-based Priority Health, is part of a team mulling a move to risk-based security. But he remains unconvinced of the feasibility of assigning an accurate cost figure to various threats. "In a general way, spending your [security] dollars where you can get the most protection is just sensible," he says. "And that's what we're doing."