Information risk management impacts each and every one of us both professionally and personally. Yet we still can’t seem to properly grasp managing information risk and put it into action. The problem is the bad guys — external hackers, organized cybercrime rings, malicious employees and the like — know what’s really going on.
They know that compliance is a joke in many enterprises. They know that security audits often gloss over the real issues. They know they have free reign and that the odds are in their favor. The reality is that many people don’t know which side of the risk equation they’re on. They assume they have the clarity, context and visibility they need for managing information risk. But in reality, they’re way behind the eight ball — and don’t realize it until it’s too late.
As IT professionals, we all have a choice of how information risk management is handled in our business. It really boils down to when we address the critical issues. We can do it before an incident occurs, which is not done often enough. We can do it during an incident, which is unrealistic because odds are we aren’t even going to know when it’s taking place. We can do it after an incident, which is still the most common effort I see. Finally, we can just ignore the problem and hope we don’t get bitten.
Savvy IT professionals who see the big picture and think long term choose the first option. They put the proper information risk management systems and processes in place to handle the issues immediately, before the going gets tough.
The essence of effective information risk management involves perspective and good old-fashioned common sense. It’s easy to get caught up in the minutiae and overlook the fact that information risk can be tied directly to business risk. The formula for making information risk management work is to highlight that this control satisfies this requirement or risk, and meets this business need. You have to use this in every IT and security-related decision you make — periodically and consistently over time.
The inability to stop doing things that are no longer working is the primary failure of information security. In IT security, you cannot change that which you tolerate. In most cases, there is no “right” or “wrong” way of managing information risk.
Every business and every situation is different. The key is to do whatever it takes to get the job done in your own environment based on your own circumstances. Taking a proactive information risk management approach is the only viable way to keep things in check over the long haul.