Why Security carries a Risk Management umbrella wherever it goes
Security people used to be stereotyped as geeky people who did obscure things with systems against equally obscure threats. However, you can’t read security news lately and not see references to risk, and then to risk management, regardless of what segment (banking, retail, construction, etc.) you are in. For people just getting familiar with the security space, this can be a bit unexpected; and maybe even perplexing.
On the surface, it’s a pretty easy jump to understand that when the geeky person who does ‘obscure things with systems’ tells you that there’s a problem (or that it’s raining problems), you want to understand if the problem has already happened versus if it’s just a “might happen” item. The second question is usually about what the impact will be, from best to worst case. Congratulations, you just performed risk management – understanding the equation of “how likely is this * how bad is this * how much will it hurt to fix it?” This set of questions (or those like them) become standardized in organizations as a way to understand potential problems in a common context.
A way to visualize this is Risk Management sitting atop cyber security and predicting the probable security weather; which is how I get to umbrellas. When you look at a weather report, they typically say something like “80% chance of rain” – and I know I need to actually have my umbrella handy. The particular function of a risk management umbrella is much like a physical umbrella – it attempts to keep the rain of security threats off, and provide some level of incidental wind protection if necessary. So what is the formal definition of Risk Management? A phrasing I like to borrow (with accreditation to the Government Accountability Office): Risk management is a “systematic and analytical process to consider the likelihood that a threat will endanger an asset (e.g., a structure, individual, or function) and to identify actions that reduce the risk and mitigate the consequences of an attack.”
So, why are we doing this? Two primary reasons – to understand and prioritize work; as well as think about (and try and identify) those things we don’t yet know. To facilitate understanding what type of security weather people can expect, security risk management approaches can be broken down into threat assessment (what is it and how likely is it), vulnerability assessment (where are our weaknesses) and criticality assessment (how much will any given problem hurt).
Just like a weather report lets you decide if you need to buy that new winter coat, or if what you have is enough for the projected weather coming up; a risk management philosophy that is embedded in the fabric of your organization allows you to have an eyes open approach to security. The goal is never to avoid taking risk – you wouldn’t give up your ski trip because you didn’t have a coat rated for that weather; but to allow organizations to make great decisions that allow them to take the right risks. So, the next time you remember your umbrella from the weather man – think about if you’re getting the same kind of predictive visibility to your security and business continuity.