Risk Management can be a tricky business, and this is coming from a fairly straightforward perspective with a simple view of risk management (which means even I can understand it!). To the lay person the purpose of risk management is to find the risks and then remove the risks to the organisation, otherwise why bother?
The clue of course is in the word management. Many information security professionals already know that you can do one of four things to your risks, once identified:
- Mitigate (aka Manage), that is implement a control or carry out at activity that reduces the risk.
- Avoid, or basically just stop doing the thing that is causing the risk.
- Transfer, or just give the risk to someone else, like an insurer or a third party vendor.
- Accept, or just face facts that this risk is the price you pay for doing business in this area.
So let’s assume you have completed your risk assessment and applied at least one of these actions to each risk, does this mean you are done? Does this mean you have successfully removed all of your risks from your organisation? Unfortunately, not by a long chalk.
Risks are always going to be present in your organisation; there are the ones you know about albeit reduced, the ones you think are too small to worry about, and finally the risks you have no idea about.
With the risks you know about even though you have reduced them, even though they may have gone from scoring an 8 to a 4 (in ISO 27005 parlance) they still exist! They can still happen, and worse still, the day after you have measured it, your assumptions are technically out of date. And just to really make your day, they may have even evolved and become unrecognisable and therefore invalid in your risk register.
The smaller risks you deem to be at an acceptable level will also suffer in the same way. Again, in ISO 27005 parlance the likelihood of something happening may change dramatically, or perhaps the ease of exploitation. Even worse, the asset value that you are measuring your risks against may have changed which will have a number of far reaching impacts to your risk register. To that I mean that a project that was once of little importance to the organisation, or even a physical asset, may suddenly take on a more important role and therefore greater ‘asset’ level. All of this is going to have an impact on your risks and how they impact your organisation.
Finally, the risks you weren’t even aware of. To be honest, and by their very nature, there is not a lot you can do about these except consider the following advice which applies to all risks;
You should be clear on one thing, namely that risk management is not a one time activity. All of the text books and standards will say that your risk register needs to be reviewed every year or after every major change. Whilst I don’t disagree with this per se (and in fact a minimum of a yearly formal review is an absolute necessity), I think in reality this needs to be much more frequent. Really, reviewing your risks needs to be an organic part of your day to a greater or lesser degree, and dependent upon the type of environment you operate in.
This does not necessarily mean you need to pore over your risk registers every day, but rather make a concerted and formal effort to be aware of the changing ‘threat landscape’; you can do this through popular news sites (e.g. BBC, CNN etc), specialist news sites (e.g. SANS, Sophos Naked security etc), blogs of people you know and trust, and of course Twitter for instance. There are likley to be many examples, but each one of these sources is going to give you a constant stream of information that needs to be processed and reviewed in some away against your risk register. You may only make minor changes every month or so, or you may find more frequent changes dependent upon your environment, but either way you will be ensuring that the your risk environment is fresh and up to date.
Now that your risk register is up to date and managed well you can be assured that the information you have is accurate, timely and subsequently meaningful. What you do with that information however is even more important, and something that will be looked at in a later post. As always, your comments and questions are welcome.
(Artwork by Peter Spier from his book, RAIN.)