03 Jan Risk Management — Just Another Buzzword?
As an information security professional, I started off my career thinking infosec was all about technical controls – networking; infrastructure; application development. With time, I realised that information security is actually more about the what technical controls you choose to implement and the how you go about doing that.
At the start of my full-time employment, I spent most of my time performing IT audits and IT-related consultancy projects. Whilst most found the process of auditing boring, I found there was an interesting edge to it, if not done in a parrot-like manner. Slowly I started understanding the mannerisms behind an audit, gradually understanding the decisions made on what controls to audit; sample size; frequency etc. It all boiled down to risk management. What controls to audit, and in-what depth. These are the same questions I now find myself asking, when writing up my yearly infosec strategy.
In the past couple of years, risk management has taken a central role in the information security space. “Risk-based approach” has become somewhat of a buzz-word, and with time, if not mindful it can start losing its relevance in our day-to-day jobs. I got to thinking about this some time ago, and I wanted to share my thoughts in this post – about the importance of not making parrot-like decisions and not treating risk management principles to be just another terminology sung by experts in conferences.
I strongly believe risk management actually represents the decisions taken by security professionals on an every day basis. In working to protect an ever-changing digital space, a wide range of technologies, buildings full of people, we are consciously or unconsciously making decisions to prioritise our work, and our teams’ work. When we build our strategies, select our controls, assign work programs, we are making choices to focus on mitigating risks, some risks given more focus and assigned more resources than others. Essentially, when making these choices we are taking into consideration what we think will best protect the organisation, what will allow us to do our jobs better, what will have the most positive outcome.
What I have noted through my experience is that we should however, be mindful of the decisions we are taking – to challenge our decisions and make sure we are taking into account actual risk when making them. To not do so, to not put risk management at the centre of our decisions, to not frequently remind ourselves what our objective is – that to reduce risk to our business – might allow our choices to be impacted by our subconscious biases.
If we do actually start acting as if the terminology “risk-based approach” is nothing else than a buzz-word, acting only on our instincts, and not going back to the fundamental principles of risk management when making critical security decisions – we might make the wrong ones. For in organisations, where most business leaders are focusing on the path that will make them most profit, or the path that will make them most successful, or even the path that will allow them the shortest time to market – it is our responsibility to stay alert, to not lose sight of what we were hired to do, to not allow external and internal factors within our organisations to influence our decisions, to not choose the past with least resistance.
Building an information security framework that holds risk management principles at its core, that allows us security leaders to have a point of reference should be a priority. Not because risk management is the new buzzword in information security, but because it is what is actually needed to build a strong strategy, that allows a balanced approach to mitigating risk. A business operates within risk, this is an accepted fact. As businesses continue to embrace digital transformations, our threat landscape continues to grow. Risk management is a way by which we can sift through the chaos, and properly plan to focus on unacceptable risks – to not be deviated by the most complex vulnerabilities in our products, but to focus on the most likely to be found and/or the ones that will impact the organisation most – or even, ones that have actually been exploited in the wild.
We are swimming in a sea of security risks. Risk management allows us to make sure we are focusing our strengths on protecting enough, whilst allowing our businesses to find the quickest and most successful way to profit-making.
The above post is a reflection of my personal opinion and in no way reflects nor is related to my employment.