Risk management is the method most often used as the path to reach reasonable and appropriate spending and management of security controls. However, there seems to be contention between security professionals who believe this is the proper approach and those who believe that risk management is fundamentally flawed. The following pros and cons are my reflections on two recent, opposing articles about this topic. The pro position was taken by Jay G. ![]() ![]() In simple terms, ERM is a way to effectively manage risk across the organization through the use of a common risk management framework. This framework can vary widely among organizations but typically involves people, rules, and tools. Heiser in an Information Security magazine article titled “Fad or For Real” (February 2007, p. Pro • Looking at mainstream information security doctrine, risk is a basic metric in security management. Risk assessments are performed based on the formula Risk = Threats * Vulnerabilities * Impact •. Advantages And Disadvantages Of Using Risk Management SoftwareI agree with Heiser’s assertion that there is nothing certain in business. Rather, decisions about how much risk to accept are based on the probability that an unwanted event will occur plus the annualized business impact of that event. Using this approach, appropriate controls are put in place to ensure reasonable and appropriate protection for the business. Attempting to eliminate all risk is not a sound business decision from a cost perspective. At some point you arrive a point of diminishing returns. In essence, risk reduction is guesswork at best. It isn’t a valid metric of the company’s commitment or effort to address matters of potential negligence, ethics, regulatory compliance, and protection of the company brand. According to Parker, “Security risk is not measurable, because the frequencies and impacts of future incidents are mutually dependant on variables with unknown mutual dependency under control of unknown and often irrational enemies with unknown skills, knowledge, resources, authority, motives, and objectives—operating from unknown locations at unknown future times” •. Threats evolve over time. A risk assessment performed yesterday might have very different results if performed tomorrow. Both Heiser and Parker make good arguments for their positions. However, my experience shows that leaning too far in either direction is a bad idea. I use risk assessments every day to help determine risk. When I present the results, I also qualify my assessment scores with a statement that they are simply a guideline. Variances in qualitative or quantitative measures, evolving threats, and how much effort an attacker is willing to expend to reach an attack objective are all discussion points. Descargar final cut pro gratis. Using unqualified risk scores as the only input into a decision about the right security controls is a mistake. Security management is not an exact science. As a director of security, it’s my responsibility to educate business managers on the moving target at which we aim every day. ![]() ![]() I do this while working diligently to ensure that security is an enabler; a means to efficiently meeting business objectives in relative safety. Related Topics. Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |