InfoSecurity -- A comprehensive magazine on IT Security (a Security magazine)

InfoSecurity November 2008

Back to Contents

Cover Story

Risk Management: Is it Over-hyped?

—By: Sameer Shelke, Co-founder and Chief Operating officer, Aujas Networks.

Risk Management has been discussed a lot, but level of acceptence of this practice in industry is still questionable. Is it overhyped or Justified? This article finds out the real scenario.

Analysts report that the spending in Goverance, Risk Management & Compliance (GRC) is expeted to touch $32 billion in 2008, an increase of 7.4% over 2007. In context of the current economic crisis, IMF reports that the losses on US subprime & securities would total about $1.43 trillion. With majority of the experts calling for more risk management measures, the spending on risk management would possibly grow even more. Information Technology (IT) Risk management would also follow these trends shown by business & financial risk management initiatives.

So the question is “Is Risk Management over-hyped? Does it actually provide the benefits to the extent it is expected to?” In order to discuss this question, we need to understand what is IT Risk management, what is expected from it, what is normally done and what can be done better.

As I write this article one part of me says that, hype or not, companies would be forced to substianlly increase their efforts on risk management, due to regulations, customers or stakeholder pressures.

What is Information Technology Risk?

What is “Risk”? NIST defines Risk “as a function of the likelihood of a given threat source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization”. Information Technology (IT) risk is part of several risks which an organization needs to manage. The following schematic depicts a “Risk Map” and the components of IT risk.

The above schematic shows IT risk in the outermost circle. IT Risk spreads across multiple segments of risk due to the use of IT in various functions of an organization.
Some examples:

So a few key learnings from the definition of IT risk are:
• IT Risk is a component of overall Enterprise Risk and hence cannot be considered in isolation,
• Risks need to be analyzed from the standpoint of Threats, Vulnerbilities and Impacts and hence every organization would have its own risk components. There is no “one size fits all” way of managing risk

What benefits are expected from IT Risk Management?

In my opinion there are some direct and some derived benefits from IT Risk management. The following table shows few of them.

The direct and derived benefits ofcourse would change depending on every organizations situations and objectives, however its important to understand them to ensure that risk management initiatives are successful.

One of the most common reason why IT Risk manageemnt doesn’t give the exepcted benefits, is because it is primarility done to achieve a derived benefit rather than a direct benefit.
e.g. A company decides to go in for ISO 27001 certification because in an customer RFP it is stated as an requirement. In order to achieve ISO 27001, one needs to design & deploy an ISMS framework which is a form of IT risk management. Due to the RFP time pressure, the company quickly hires a ISMS consultant, who does the relevant documentation & some implemenatation. A ISO 27001 auditor is contracted, who after the relevant audits recommends the company for certification. A derived benefit is achieved, the objective is met.
But has any direct benefit been achieved? After going through all the efforts if IT Risk is not reducted and managed, at some point this effort and cost would look irrelvant.
Hence the key learning is to set the right objectives for IT Risk management.

Top 10 mistakes done during IT Risk Management initiatives

Following are my top 10 mistakes done by organizations as related to IT Risk Management. I must admit some, if not most of them are ones which I myself have done while playing the role of a consultant, auditor or a CISO.

1. Understanding what is IT Risk Management: Most times we get confused between IT Security Management and IT Risk Management. IT Risk management is not about managing security controls like firewalls, IDS, authentication systems etc. It’s about managing the risk; deficiencies in the IT systems which can impact business.

2. Defining the right objective: In the long run, derived benefits such as certification requirements or customer requests would lead to failure in getting the right benefits from IT risk management. At the end of the day, this is required for our business and not because someone else has asked for it.

3. It is Risk “Management”: This in my opinion is the most common mistake we do in Risk management. There is a lot of emphasis on designing and implementing risk management strategies and controls, with little or no focus on “managing it”. No business environment is static nor the risks it faces, hence risk management is a moving target, getting it right one-time won’t help. The key is focusing on managing risk on an ongoing basis, adapting to changes and new threats and related impacts.

4. “Out-owning” risk management: Outsourcing or out-tasking functions in risk management is normal and in most cases justified, The problem is when the organization “out-owns” it, which is my word for trying to outsource ownership or responsibility. One can use external resources to supplement skills, knowledge, resources etc. but risk management has to be the core responsibility of the organization itself.

5. The tool trap: Another common mistake, buy a multi-million dollar tool and assume that it would take care of risk management. There is no silver bullet, automation can only streamline an existing processes. A risk management tool would for sure help in monitoring, reporting and managing the risk management framework and processes. However it can’t replace the framework or process. As it’s said “A fool with a tool is still a fool”.

6. Getting caught up with standards and best practices: We come across several compliance frameworks and best practices including ISO 27001, COBIT, ISO 20000, PCI, SAS 70 and SOX etc. These are great and have been developed after several years of research and practice experiences. For an organization it’s important to understand and learn from these frameworks. What is wrong is to loose focus on what the organization wants to achieve and get caught in the jargons of these frameworks.

7. Over emphasis on Reusability: We in the IT industry are “embedded” with the reusability concept and rightly so. It’s important to knowledge and components to better efficiency and cross learning. However there is a very thin line between reusability and the “Cut-Paste” way of doing things. Reusing any other companies risk management framework and processes, without understanding our organizations needs its one bad example of reusability.

8. Incorrect Risk Management team: Most companies are faced with this challenge, some companies have dedicated risk management teams, in some the quality groups look after it, and in some it’s a virtual team. There is no right or wrong way to do it, as it depends on the resource and organization designs of organizations. The key is when this team doesn’t have the right number of resources and representations from the required functions within the organization.

9. Management Support: As clichéd it may sound, many risk management initiatives fail as the top management is not committed to it.

10. Trying to quantify benefits / ROSI: I know several professionals in the Risk management or security space would strongly disagree with me and maybe there are right, but there is no way most organizations can quantify benefits of risk management or security investments. ROSI (Return on Security Investments) as it is called. This is because most ROSI models are based on quantification of value of IT assets. Many organizations I have worked with don’t even know their complete IT assets, let alone try and estimate their value to business. Hence one could face a lot of frustration trying to quantify benefits and hence giving up on risk management initiatives.

Conclusion

In conclusion Risk management (including IT Risk maangement) is key for an organizations survival and growth. We owe it to our shareholders and customers. Its seems a hype to some organizations as it doesn’t give them the expected benefits. That could be happening because the organization might be doing one, more or other mistakes mentioned above during their risk mangement initiaitives.

Right or wrong, hype or not organization would have to invest time, money & resources in Risk Management due to the current business enviornment. Lets try and get it right.