Adoption of a ‘risk-managed' approach to information security is extremely fashionable amongst the organisations that I work with.
Many organisations see the old draconian approach to security as blocking the needs of business users and dampening the agility that is a required characteristic of many businesses during the on-going financial crisis.
One of the problems of trying to adopt a risk-managed approach however, is the varied perception of the term. To some, it means all options are now available; to others it means an uncomfortable increase in personal accountability.
What often happens is that those involved in making risk management decisions begin to realise quite how different their views are from those of their peers with respect to the risk appetite of their organisation; or the risk posed by the failure of a particular service; or the risk posed by a particular vulnerability or the capabilities and motivations of a specific threat.
Just because something can be difficult to do properly does not mean that it is not worth doing. The benefits of a risk-managed approach include:
- An ability to deliver innovative and highly beneficial solutions that may fall outside of 'policy'
- Security services tailored to thwart the most damaging genuine threats rather than a generic approach trying (and often failing) to raise the bar for all threats or blindly relying on existing controls
- A more integrated approach to information security across the organisation and supply chain due to the need to engender a common understanding of risk
- Improved employee engagement and understanding of their role in maintaining the security posture of their organisation.
So, what are the necessary pre-requisites to enable an organisation to successfully adopt a risk-managed approach? The points to address include:
- The organisation must have an appropriate governance structure in place to empower those charged with making risk management decisions, and which provides a communications channel with the management who should be the final arbiters of the acceptability of risk. The governance structure must include relevant bodies at a variety of levels – project, programme and organisational – and include personal accountability for all those within the organisation. The meetings of these bodies must be adequately recorded so as to maintain a trail of accountability for decisions made and the reasoning underpinning those decisions.
- There must be a degree of stability and retention with regards to key personnel. It is an unfortunate fact that individuals judged on their ability to deliver a project may often take on a higher level of operational risk than those to who the project will deliver. It should not be a case of individuals being able to 'throw a project into operations' and walk away without any accountability post go-live.
- There needs to be a consistently expressed view of acceptable risk across the business; this risk appetite needs to be defined at the highest levels of governance and then communicated throughout the organisation. Projects should be able to deviate from the organisational risk appetite within certain agreed tolerance levels depending on business benefits and project-specific risks.
- It is key to implement an organisational standard in the area of risk assessment so as to deliver consistent, reproducible outcomes. The risk assessment methodology must be able to distinguish between the different capabilities and motivations of a variety of relevant threats.
- Organisations need a security function capable of articulating complex technical risks into business-relevant risks that can be discussed with the business management – communication of risk using terms understandable to all is critical to success.
- Risk assessment is not a one-shot deal – business services, threats, risks and associated impacts all evolve over time. Organisations need to manage identified risks via a risk treatment plan but also need to regularly re-visit their risk assessments to ensure that the set of managed risks remains current.
- Organisations need to maintain an assurance capability to test their assumptions and to test that the controls that have been implemented do in fact provide the expected levels of control. Penetration testing is often a good tool for testing (and quantifying) specific risks where that testing is tightly scoped.
Overall, pragmatism is the key to success. Everyone involved must understand that (in most scenarios) a certain level of risk must be accepted in order to allow progress. This may mean that, occasionally, accepted risks materialise – an online service may be compromised for example. This is not a failure of the approach; the organisation should have reaped many benefits to counterbalance the impacts of compromise.
A risk-managed approach to security is a delicate balancing act but one which, with perseverance and understanding, can enable businesses to adopt new ways of working while demonstrating due diligence with respect to protection of their information assets.
Lee Newcombe is an executive consultant at Capgemini