From our experience, however, there's some wishful thinking going on. Rarely do the companies we work with even have a comprehensive asset list, let alone any consistent risk-based analysis of assets or controls. In addition, a plethora of risk-based models--AS/NZS ISO 31000:2009, ISO 27005, COSO, OCEG--get caught up in religious wars over which is best. Within these models is a variety of approaches, including data-centric security; enterprise risk management; information risk management; and governance, risk, and compliance.
The devil really is in the details. To base a security management approach on risk, you must know how any given asset is valued, the likelihood that a threat will exploit a vulnerability, and the impact to the business if a given asset were to be compromised. And you must accept that not everything can be fixed. When managing risk, IT has several mitigation options to consider: reduce, transfer, avoid, or accept. Be realistic. For the time being, you may have to transfer, avoid, or accept risks that you would prefer to reduce. This is where being able to assess the value of a service and the costs of possible controls is invaluable.
Most of all, don't get bogged down. All of today's risk standards have the same core components. Fighting over which to use ensures just one thing--that you won't make progress. You can always change later if it turns out an approach is too complex or another framework is more relevant for your company. Just pick one and get going.
Rise Of Risk Management
Continue to the sidebar:
Risk Management In A Box?