||Add To My Personal Library
May 7, 2010
Vol.32 Issue 10|
Page(s) 13 in print issue
Successful Risk Management
Mitigating Risks Means Protecting Your Enterprise From Security Threats, Hidden Costs & Damage To Your Reputation
A successful enterprise does not exist without solid risk management. And although it can be time-consuming and lower on immediate priority lists, risk management helps protect the enterprise from security threats and also helps to make sure that damage is as minimal as possible. Risk management is all about achieving information security and supporting business goals in the enterprise.
• A risk management strategy identifies threats to an organization’s assets and lays out the controls required to prevent, detect, and respond to threats.
• Potential risks that threaten SMEs include loss of property and income, legal issues and costs, and damage to the company’s image.
• Although risk can never truly be eliminated entirely, having an effective plan in place can help mitigate the risk and control costs.
A Key To Success
Christian Malatesti, senior information security consultant with Enterprise Risk Management (www.emrisk.com), says that risk management is paramount in the data center. “Risk management is important to ensure that a methodical risk-based approach is used to identify the assets to be protected; the threats and their impact on those assets; and the controls to be used in order to prevent, mitigate, detect, and respond to those threats,” he says.
In addition, Malatesti says risk management is a core component of an organization’s IT governance. He says risk management ensures that adequate controls are in place to support the profitability of the business by mitigating the risks of security incidents and ensuring compliance with applicable regulations. He explains, “Risk management provides management with the information and tools to identify and prioritize the steps to take in order to achieve data protection, balance the costs, and support the organization’s business mission.” Malatesti says risk management requires the commitment of top management to ensure that the appropriate resources are allocated to the project and the necessary support is given, as risk management is not intended to be just a technical security concern.
Chris Richter, vice president of security services at Savvis (www.savvis.net), says that if structured properly, a risk management program can be an effective process for identifying, rating, and addressing critical problem areas. “Data centers, and customer configurations within them, can be complex,” Richter says. “There are many risks related to company data, regardless of where it resides.” He says common examples of company risk include income and revenue loss, lost reputation or brand damage, legal issues, loss of assets, and random expenses associated with risk.
Implementing risk management is a complex venture, according to Jeffrey Baldwin, vice president of alliances and technology at Syntex Management Systems (www.syntexsolutions.com), who says this is because every organization is different in size, geographic location, business culture, and system processes. He says, “Risk management success can be broken into the following: a corporate goal and top-level ‘buy-in’ to support change in the organization; an agreement that business processes and corporate culture play an integral part into the success of implementing risk management across the enterprise; and recognition that a software tool can aid in the organization and tracking of business process execution, reactive and proactive data gathering, and business cultural change.”
Baldwin says that in most enterprises, a successful software product integrates with or replaces multiple software applications that have various operational risk management objectives while providing a central conduit for more open risk communication between leadership and the workforce.
In Richter’s opinion, the first step to successful risk management is to develop a formal program that begins with a comprehensive risk assessment (including an asset evaluation). “A solid risk management program can potentially help improve a company’s business efficiency, reduce its risk exposure, and thus improve its performance and bottom line,” he explains. “The key benefit of a risk assessment is that it can actually help enterprises reduce the number of controls they are required to implement. It does this by identifying those IT assets that need to have strong controls and those assets which, based on their risk ratings, require less stringent controls.”
Avoid Potential Problems
According to Malatesti, it is part of the risk management approach to evaluate risks—including the advantages and deficiencies affecting a given solution. He says risk management provides a methodical and empirical approach to evaluate both aspects, guide management to make an informed decision, and measure the ROI. He adds, “Risk management provides a methodology to identify alternative solutions, also known as compensating controls, that can be implemented to mitigate risks discovered during the risk assessment and when the implementation of a direct solution is not feasible due to technical difficulties, excessive cost, etc.”
Malatesti says risk management resides at the foundation of any sound IT security strategy because it dictates the steps and prioritizes the activities necessary to achieve information security and support business goals. “It provides the broad picture of where an organization stands in terms of security, business continuity, and compliance,” he says.
Baldwin recommends starting with a particular group, location, or organization as a pilot when implementing an enterprise-wide risk mitigation solution. “In this manner, a set of repeatable standards can be derived for security, storage, and network management and then decisions can be made regarding the flexibility allowed within each group, location, or organization as the solution is deployed,” he says. “Also, a detailed implementation plan, including resource requirements and assumptions, should be developed and agreed on during the solution planning phase of an enterprise implementation project.” He says a project-steering committee should also be formed from representative management to make key decisions and track progress.
Richter cautions readers about creating risk management programs with too many controls. He says this can actually impair a company’s risk management efforts. “If implemented properly, a risk management program should improve the bottom line by making companies more secure, more efficient, and less likely to incur a loss of high-value data assets,” he says. “To avoid the problems associated with a poorly designed and implemented approach to risk management, IT professionals should follow established guidelines for governance, risk, and compliance (GRC) best practices and possibly seek guidance from a reputable risk management consultant or service provider who is skilled in GRC.”
Richter says companies can never completely eliminate risk. The objective, he says, is to reduce risk to an acceptable level at an acceptable cost through the application of a risk mitigation process.
by Chris A. MacKinnon
Top Tip: Check Your Progress In Stages |
According to Jeffrey Baldwin, vice president of alliances and technology at Syntex Management Systems (www.syntexsolutions.com), a successful risk management methodology uses a stage gate process to review and agree on progress. The stage gates and decision criteria are:
Phase 1: Solution Planning. Agree on the detailed implementation project plan, including timing and resource requirements.
Phase 2: Solution Design. Agree and sign off on process flow diagrams.
Phase 3: Solution Configuration. Agree and sign off on configuration workbooks. Also successfully test the configured and piloted solution.
Turn the pilot group, site, or location live and validate that all project components are delivered in the data center environment and that all technical functions are working properly.