In the broad spectrum of activities which might be called Information Security, we must always first and foremost implement, execute and follow through with risk management. Risk management is the backbone or foundation of any good information security program.
Risk management is really just going around, taking a look at the way things are set up, processes, policies, from what ports are open on the firewall to what rules are set on your antivirus client. Risk management is a process of inventorying the existence or state of things, reviewing all this against your knowledge, expertise, research and maybe even some tools, to determine if we're doing things the right way or not.
Even if we're going along with best practices, we must understand that we still have some risk. There is no such thing as 100% security - the best practice in the world doesn't remove all risk - unless we want to unplug our infrastructures from the public Internet and never allow anyone to access anything. This scenario basically shuts down our business - that means we must balance risk management with running the business. This caveat should be posted on every security professional's desk to review constantly, as they attempt to implement or manage security controls.
We must define our existing controls and determine the gaps - then we define the present risk for it all. Once this is done, we can begin to prioritize that risk - figure out strategies to reduce risk based on the priority or criticality of the asset or data or service or other resource we're trying to protect. We can close unnecessary ports, change our A/V policy to restrict more, add language to our policies - we find ways to reduce that risk through the controls we have or the controls we implement based on our risk assessments and determination.
This strategy isn't new - I didn't invent it. But in my experience many organizations have never heard of risk management, at least from an IT perspective. We don't have to go down the rat hole and hire an accountant to calculate the ARO or SLE, but we should be familiar with these terms - with what they represent. This makes us more prepared, so that when we identify a risk and need to implement a control, we can intelligently discuss the problem in terms the business understands - dollars.
We learn to protect the business, not because we know how to SSH into a firewall and set up an access control list, but by providing expert counsel, by understanding what the business is trying to accomplish, by understanding the risks inherent in technology, and by offering wise solutions based on actual, prioritized risk and not Fear, Uncertainty and Doubt (FUD).
If we can build our security programs upon a foundation of proper Risk Management, we have the groundwork for policy, process, technology - we can build teams dedicated to the correct task and eliminate or minimize time wasted on non-essential activity. We can operate our security program as a function of risk management - prioritized to be laser-focused on the most critical maintaining a low risk profile for the organization's IT infrastructure.
When I talk to many information security people about Risk Management, I see the deer in the headlights. As an industry we must be able to walk in both worlds, technology and business. Risk management is a language understood and appropriate for both.
Cross-posted from http://rfrietzsche.blogspot.com/2012/12/risky-business.html