Secure Information Exchange - Whether It’s Data in Motion or at Rest

Risk Management: Part Art, Part Science

December 24, 2009 at 12:24 pm · Filed under Risk Management, Secure Information Exchange

By Craig Robinson

Risk management should be the central objective of all information security initiatives. It’s a delicate balance of art and science. Because the ‘science’ part is more straightforward, and provides the foundation for the broader discussion, let’s address this facet of risk management first.

Risk is a function of assets, vulnerabilities, threats, and safeguards. Each of these parameters has a definable scope, translatable into corporate risk management policy and integral in enabling specific security standards, procedures, and processes.

Through a structured approach to risk management, organizations can identify, classify, and manage their critical assets. Organizations also can assess and manage vulnerabilities at the same time they assess and monitor threats. Because risk results from the confluence of assets, vulnerabilities, and threats, organizations can identify the intersections among these parameters and then develop or select effective and efficient additional safeguards for appropriately mitigating their assessed risk.

Unfortunately, the ‘art’ aspect of risk management is harder to nail down. When has an organization reduced risk to an acceptable level? What assumptions are inherent in risk management decisions? How might these decisions change as assumptions become fact, or are proven incorrect, or linger somewhere between these two extremes?

In the early days of the Internet, some organizations threw up their hands, opting not to answer these questions. I still remember when organizations, practicing risk avoidance, refused to set up e-mail systems (even well into the ’90s!) because they feared data compromise.

In today’s business climate, organizations can no longer consider risk avoidance as an effective strategy. The Internet is here to stay, as an essential business enabler, and will remain as such until it is replaced someday by something even more flexible and powerful — and frightening. Because we cannot eliminate risk entirely in an interconnected world, secure information exchange is a business mandate with risk management at its core. It’s from this perspective that we’ll continue our dialog in future posts.

3 Comments »

  Secure Info Exchange » Risk Management: Part Art, Part Science | Concert Tickets , Sports Tickets , Theatre Tickets wrote @ January 4th, 2010 at 5:53 am

[...] Go here to read the rest: Secure Info Exchange » Risk Management: Part Art, Part Science [...]

  PCBA Assembly wrote @ August 30th, 2010 at 2:42 am

Doing everything maybe have many risks to success,and more higher the risk,more chance we can get.

  bees pollen wrote @ December 29th, 2010 at 5:17 pm

I’ve never actually thought about the risk from this perspective. I think I’m just too afraid of taking risks and I know that I seriously need to overcome this issue. This short article is really interesting in my opinion, and I’m glad that I came here.

Your comment