When you speak to security professionals or the Management in many organizations, most of them are of the opinion that security Risk management is all about deploying the latest security tools available in the market with a focus on applications, hacking and malware and nowadays data breach. Although these items are important to be considered, yet they are an extremely small part of the overall information security puzzle.
Consider an organization dealing with nuclear reactor designing and another organization dealing with providing cloud backup solutions. Would the Risk Management be the same for both the organizations? The answer is NO which most of you would agree upon. Both the organizations would be vulnerable to certain threats which may threaten its business models. Every business exists to make money and security become only an issue when this bottom line is affected. Risk Management should always be done with the objective that threats which are identified do not affect the bottom line. Hence, it is critical that security professionals understand threats faced by a company, but it is more important that they understand how to calculate the risk of these threats and map them to business drivers.
Let’s take up the two scenarios once again. In both the cases, there would be innumerable threats which these businesses will face. Should that business work on resolving every threat it faces? From a business standpoint, it can allot only a certain amount of money to resolve these threats. What security professionals need to understand that even if a company faces innumerable threats through a lot of vulnerabilities, they need to prioritize the risk arising out from these threats and resolve them with the limited budget available to them. In order to do so, every business will come up with an acceptable level of risk which it can withstand even it materializes.
Basis the above discussion, we can easily define risk management as:
Process of identifying the threats and vulnerabilities which a business faces, assessing the risk arising out of them, reducing it to an acceptable level and then maintaining that acceptable level.
We must ponder over two important facts here: management & maintaining. Management of the risk means identifying, resolving and then reviewing again and repeating this cycle again. A lot of security professionals confuse this with term Risk Assessment. Risk Assessment is only a part of the overall Risk Management cycle. Maintaining is another important aspect which a lot of companies get confused with. Risk Management should not be a “fit it forget it” approach and must be done on a periodic basis to ensure that the acceptable level of risk is maintained at all times. But what happens when a new risk comes up but does not affect the acceptable level of risk.
Imagine the business handling the nuclear reactor faces a new risk because a vulnerability has been discovered in an application which controls the cooling of the reactor. The vulnerability can be exploited by an attacker by manually logging into the system and running a specific command via the command prompt through an administrator access only.
What should a security professional do? The first step should be is to assess the change in the risk which has occurred in comparison to the acceptable level. To evaluate this, a risk assessment needs to be done which will help the professional understand what needs to be the future course of action. Many companies, however, do not evaluate the change in the risk levels and start focusing on patching the vulnerability itself which is a wrong approach. You may argue that a new vulnerability when detected may impact the company and hence needs to be patched anyway. So why not focus on patching it straight away? It ultimately boils down to the security budget and resources which you have at your disposal. If the security budget is tight and no resources are available and there is no change in the acceptable risk levels, it would be a good option to either postpone or prioritize the important issues at hand, rather than immediately focusing on patching the vulnerability.
Since every organization has a finite amount of money and an almost infinite number of vulnerabilities, properly ranking the most critical vulnerabilities to ensure that your company is maintaining the acceptable level of risk, is what risk management is all about. Carrying out risk management properly means that you have a holistic understanding of your organization, the threats it faces, the countermeasures that can be put into place to deal with those threats, and continuous monitoring to ensure the acceptable risk level is being met on an ongoing basis.
