English   Deutsch   Русский   中文    

Does Risk Management really fail in IT Security?

Oct 19, 2012 by Martin Kuppinger

In an article published at Network World Online Richard Stiennon, Chief Research Analyst at a company called IT-Harvest, claims that IT Risk Management inevitably fails in IT. He ends up with recommending “threat management techniques” instead of risk management. He says that it is about making decisions about threats. However, he seems to have a misconception over what risk management is about.

Risks are threats on assets. They have a specific probability and a potential impact. The thesis of Richard Stiennon is based on the assumption that Risk Management mandatorily starts with identifying all assets and assigning value to them. He then states that risk management methods invariably fail to predict actual disasters. He also claims that a consequence of Risk Management is that “protect everything” approaches are deployed.

I don’t agree with that, from my perspective, fairly limited view on how Risk Management works in theory and practice. There is no doubt that you can do things wrong. But the conclusion that Risk Management is the wrong approach because of that is not valid.

I had a conversation with Art Coviello, Executive Vice President at EMC and Executive Chairman of RSA, the security division of EMC. We talked about the strategic approach of RSA, a topic he then covered in his keynote at the RSA Conference Europe the day after our conversation. This conversation was very much about understanding risks in IT as the starting point for successful IT security. It was about especially understanding the changing threat landscape and understanding which types of assets will be in danger. It also was about the consequence of this approach being a shift from traditional “protect all” approaches towards a far more targeted, layered, and thus sophisticated security approach.

The most important point therein is that Risk Management not is about first listing all your IT assets. That can be useful, of course, but it is just an element. By the way: Many IT organizations have a working inventory of IT assets and contract management in place, even while others still struggle with identifying all their applications and systems, not to mention systems or even information owners.

Risk Management is about understanding both: Threats and their potential impact on assets. So first of all, Risk Management does not necessarily start by identifying all assets. It is not an approach which is done once and never re-visited. It is about setting up a process of regularly validating former assessments.

The most important points I have when looking at the statements of Richard Stiennon are

  • Risk Management should always take the threats into account – and understanding threats is a good starting point.
  • You will have to know about your assets anyway. If you start by analyzing the threats, the next question is about the potential impact on assets.
  • You will also need to understand the probability and potential impact of threats. If not, you are not able to identify high risk and low risk threats.
Simply said: Using “threat management techniques” done right and in a way that works is nothing other than Risk Management where you start with looking at the threats – an approach that isn’t uncommon in good Risk Management implementations.

We have done many webinars around Risk Management that touch that point. And there is a report out describing our view on a GRC Reference Architecture. This report is worth to read because it puts all these things into an organizational context. It is clearly about a balance between knowing the assets and understanding the threats.

But regardless of where you start (and I agree that understanding the threats is probably the best starting point): You still need to know about your assets, the probability of attacks/threats, and their potential impact in order to do things right. Only then will you be able to pick a good mix of countermeasures, both organizational and technical, instead of ending up with a “protect everything a little” approach.


Author info

Martin Kuppinger
Founder and Principal Analyst
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
RTSI asnd Future SOC
Statistics show that most data breaches are detected by agents outside of the organization rather than internal security tools. Real Time Security Intelligence (RTSI) seeks to remedy this.
KuppingerCole CLASS
Trusted Independent Advice in CLoud ASSurance including a detailed analysis of the Cloud Assurance management tasks in your company.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole