IT security doesn't have the number-crunching abilities of financial risk modeling or broad history of market data to throw into Monte Carlo simulations. Other risk disciplines have data that over the years has led to refined mathematical, quantitative methods. Will IT security ever get there? We seem to be making significant progress. Consider:
* Identification of assets is achievable. One of the first tasks in risk management when it comes to IT security is to know what you need to protect. This is a significant challenge and, with the , it seems an insurmountable task. However, technologies are addressing the "find the needle in the stack of needles" problem and identify where important data is flowing out of or into the organization and where it ends up. For example, technologies continue to expand their scope, accuracy and capabilities.
Some perspective is useful when looking at progress against this problem. Will an organization have an absolute list of every desktop, laptop, mobile device, , switch, database and widget in the entire IT universe? No. But can an organization find where personal information, credit cards, key research and development plans and other jewels of the company live? Absolutely. Today.
A large technology company launched an initiative to find credit card data. A DLP scan across its file servers found 30,000 files spread out over a large, international IT infrastructure. With a combination of technologies and processes, the company cataloged these data assets, identified owners, contacted them, remediated and secured the data. This wasn't a multi-year effort; it was a multi-week effort. In addition, the company realized how it could do this for other information assets. Lo and behold, the company not only secured the loose change across the file servers, it determined how to find and secure the bags of money as well.
* Value to the business can be determined. The second challenge, once your key assets are identified, is assigning a business value. In some cases we may have to live with a qualitative measure, but in some cases we can get to cold hard cash, or at least an intelligent approximation. This takes some work and getting the right framework in place is critical. For the qualitative measure, on business processes are Step 1. This provides the top-down business value. Bottom-up, the IT department needs to better organize asset catalogs to connect key IT assets to those business processes.