Save money by managing IT risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.techrepublic.com/article/save-money-by-managing-it-risk/#.

There is an old axiom - time is money. Nowhere is that more true than in
the corporate world, where hours can exponentially add up to dollars spent.
However, an often overlooked component of the time equals money equation is
risk, and risk comes in all forms, ranging from business decisions to
information access.

Take for example the impact of risk on the typical corporate IT department
- managing risk takes time and money, two elements IT departments are in
short supply of. That has led to proactive risk management becoming a
luxury that many IT departments feel that they cannot afford. However,
nothing could be further from the truth - because IT departments fail to
calculate the cost of not mitigating risk, as opposed to calculating the
upfront costs of managing risk.

Simply put, a security breach or data loss can cost significantly more in
both time and money than properly handling the risk to begin with, and that
is exactly where proactive risk management comes into the IT picture. It
all comes down to the "cost of not doing business", as opposed to the "cost
of doing business."

Some larger organizations are handling threat management proactively and
have even gone as far as dedicating personnel to IS (Information Security),
all in a quest to protect data, intellectual property and enhance
productivity. However, those organizations number in the few, especially
when compared to the plethora of small and medium enterprise (SME) that
simply do not have the resources to dedicate personnel to risk management.

Perhaps the key to leveraging proactive risk management comes in the form
of understanding what risk management is all about, and only then can SME
level business IT departments can make the argument to invest in the proper
tools, services and partners to make proactive risk management a reality.

Risk management consists of four distinct components, each with its own
nuances and benefits to an organization. Those components can be broken
down to:

- Risk Avoidance: An objective where one determines if a practice creates
too much risk, then that practice is avoided. The reasons that make the
practice too risky can be many, ranging from BYOD (bring your own device
initiatives) to security patches to outsourcing support. For example, if
you are concerned about compliance, you should institute security controls
or hurricanes, locate your business in an area in which hurricanes do not
occur -- at least not typically. There is no reason to insure against that
risk because you've avoided it.
- Risk Prevention/Mitigation: Once potential risk is identified, it is
critical to identify the tools, policies, procedures and steps to prevent
the potential risk from impacting operations, or at the very least to
reduce the damages caused by the risk.
Risk Retention: Normal business operations always entail some risk, no
matter how minor - that level of risk has to be retained to successfully
conduct operations. In the IT realm, that low level risk could be
attributed to elements such as bugs, failed patches, hardware failure and
so on. In other words, there is always some risk that IT operations can be
impacted. The key here is to identify what level of risk is acceptable and
have a plan to deal with failures caused by that risk.
- Risk Transfer: A concept that entails transferring risk to another
entity, either because of budget constraints or assigned duties or
infrastructure/process ownership. The trick with risk transfer is to
determine who should own the risk. For example, a services organization may
be contracted to handle hardware (and warranty related) repairs, shifting
the mitigation of hardware problems (the identified risk) to that
organization. Other examples include software support contracts, insurance
policies and contractual agreements, such as SLAs (service level
agreements).

Knowing the components that make up risk management helps managers
determine what the most important element of risk is, and that is knowing
what risks exists. That takes a methodological approach of inventorying
risk. A process that requires comprehensive tool sets that automate
discovery, organization and reporting. Nowhere is that more important than
in the IT realm, where complexity, as well as intricate relationships prove
to be abundant.

While some off the shelf tools accomplish automating IT inventory, very few
- if any can associate risk with software and hardware components
discovered during automated scans. That process usually takes additional
forensics technologies, as well as manual interpretation of the results.

However, there are some short cuts and up and coming products that can
simplify the process, giving managers the ability to deal with risk,
without an inordinate expenditure of time. The key to the process is using
the right tool - one that balances inventory processes against security
scans against scheduled maintenance - which in effect, transforms risk
management into a traditional IT process, that is part of a larger whole.
With that in mind, it becomes easier for network managers to make the
financial arguments that can lead to funding for acquiring those tools -
which ultimately deliver much more beyond simple network and security
management.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!