computerwoche.de

Archiv

Why risk management can succeed in IT

22.10.2012

The quantitative approach, Nirvana for most risk managers, can also be achieved. For example, some DLP products can actually tell you how many records of a certain type are in a database. If those records represent a $X/record cost if the data is breached and released, then that database has a specific value from a breach perspective. That database may also have a financial value from a business perspective. Most major internal systems can derive business impact from their "information value" -- the value of the data sitting on, or processed by, the system.

A key component to successfully implementing this is establishing not only the traditional IT asset catalog, but the connection to business impact analysis and business asset catalogs that bring the business context to IT security processes. This is a next-generation approach. It isn't just about building a spreadsheet of servers, their MAC addresses, serial numbers, CPU and hard drive specs. Bringing in the data dimension, through DLP or other discovery technologies, along with the business dimension, by actually talking to the business, takes IT asset understanding to a new level.

* Risk management approaches clarify the landscape. To keep it simple, the basic traditional formula for risk is Value of Risk = Likelihood X Impact. If we begin to understand the "Impact" portion of the equation using techniques I just outlined, then "likelihood," represented by some probability, is our next target.

Today's is extremely volatile. In fact, the probability of some type of IT security breach is approaching 100%. Most companies absolutely know they have threat actors that are interested in their information. Therefore, we can only hope to reduce the likelihood of their success through intelligent controls design and implementation.

The business impact is a clear differentiator when it comes to designing security controls. Some controls are must-haves and companies already have them in place. IT security needs to evolve where the must-haves are tailored for the business situation.