In an article published at Network World Online Richard Stiennon, Chief Research Analyst at a company called IT-Harvest, claims that IT Risk Management inevitably fails in IT. He ends up with recommending “threat management techniques” instead of risk management. He says that it is about making decisions about threats. However, he seems to have a misconception over what risk management is about.
Risks are threats on assets. They have a specific probability and a potential impact. The thesis of Richard Stiennon is based on the assumption that Risk Management mandatorily starts with identifying all assets and assigning value to them. He then states that risk management methods invariably fail to predict actual disasters. He also claims that a consequence of Risk Management is that “protect everything” approaches are deployed.
I don’t agree with that, from my perspective, fairly limited view on how Risk Management works in theory and practice. There is no doubt that you can do things wrong. But the conclusion that Risk Management is the wrong approach because of that is not valid.
I had a conversation with Art Coviello, Executive Vice President at EMC and Executive Chairman of RSA, the security division of EMC. We talked about the strategic approach of RSA, a topic he then covered in his keynote at the RSA Conference Europe the day after our conversation. This conversation was very much about understanding risks in IT as the starting point for successful IT security. It was about especially understanding the changing threat landscape and understanding which types of assets will be in danger. It also was about the consequence of this approach being a shift from traditional “protect all” approaches towards a far more targeted, layered, and thus sophisticated security approach.
The most important point therein is that Risk Management not is about first listing all your IT assets. That can be useful, of course, but it is just an element. By the way: Many IT organizations have a working inventory of IT assets and contract management in place, even while others still struggle with identifying all their applications and systems, not to mention systems or even information owners.
Risk Management is about understanding both: Threats and their potential impact on assets. So first of all, Risk Management does not necessarily start by identifying all assets. It is not an approach which is done once and never re-visited. It is about setting up a process of regularly validating former assessments.
The most important points I have when looking at the statements of Richard Stiennon are
- Risk Management should always take the threats into account – and understanding threats is a good starting point.
- You will have to know about your assets anyway. If you start by analyzing the threats, the next question is about the potential impact on assets.
- You will also need to understand the probability and potential impact of threats. If not, you are not able to identify high risk and low risk threats.
We have done many webinars around Risk Management that touch that point. And there is a report out describing our view on a GRC Reference Architecture. This report is worth to read because it puts all these things into an organizational context. It is clearly about a balance between knowing the assets and understanding the threats.
But regardless of where you start (and I agree that understanding the threats is probably the best starting point): You still need to know about your assets, the probability of attacks/threats, and their potential impact in order to do things right. Only then will you be able to pick a good mix of countermeasures, both organizational and technical, instead of ending up with a “protect everything a little” approach.