The First Law of Risk Management

Thursday, February 03, 2011

Healthcare CSO

D10dcc9a486fad27327de115a81f51d8

Thanks to Anthony and the Infosec Island site, I get to share my thinking, such as it is, with a broader audience than just those folks hanging out at Security, Cigars & FUD. We'll find out if that's good or bad.

A quick intro for you. I'm a CSO who's been doing security stuff for over 25 years. I have a background in the military, consulting, professional services and healthcare delivery.

Everything I write here, or at Security, Cigars & FUD, is absolutely my own opinion and does not represent the position of anyone who may employ me, has employed or will employ me in the future.

So, now, without further ado, here is my inaugural post on Infosec Island. 

---------------------------------------------

This is the first post in a series of three dealing with risk management within the security field. Basically, over many years of dealing security risk management, I've developed my "laws of risk management" and I thought that I would share them in a series of posts. This is the first one.

My First Law of Risk Management: Risk managed at the wrong level leads to crisis.

Failure to escalate the risk to the management level with scope, authority and ability to manage the risk inevitably leads to a crisis. Every case of security crisis that I have ever been involved with inevitably had a situation where risk was being managed at the wrong level of the organization.

Why is this a big deal? For many reasons. First, and probably most important, is that the manager handling the risk needs to understand the potential impact of the risk activities for the whole organization.

Choosing, for example, to not send backup tapes offsite with Iron Mountain in order to save a few thousand dollars a year seems like a judicious decision to the manager whose cost center is being affected.

However, when those tapes are not encrypted and get stolen and contain data on hundreds of thousands of people, the impact to the organization is likely to be in the millions of dollars.

The risk and cost benefit analysis looks entirely different a few levels higher in the organization that it did to that manager who is solely responsible for his/her cost center.

And then, just as important really, is that the person managing the risk and the person with the actual authority to mitigate it in some fashion are not the same. Even worse, the person who has the right scope and authority is likely not aware at all of the risk in question.

The correct actions to deal with the risk around malicious intrusion of critical systems aren't taken because the person who is aware has no authority to have the actions taken.

This law of risk management can be dealt with by having a set of policies, procedures, management organizations within the enterprise that force transparency and elevation of risk to the appropriate level.

It is absolutely something that requires that the enterprise is aware of the importance of risk management within security. And the enterprise must attach enough importance to security that the CISO/CSO can create the means to bring about transparency and elevation of risk.

Laws #2 and #3, which are forthcoming in the next couple days:

The Second Law of Risk Management: Align Security Risk Management with the Business ... aka Your "Risk Mitigation" Is Going To Hurt My Revenue!

The Third Law of Risk Management: Risk Can Never Be Reduced to Zero: Don't Promise Nirvana.

Cross-posted from Security, Cigars & FUD

Possibly Related Articles:
16379
Enterprise Security
Policy Enterprise Security Risk Management Access Control Security Management Information Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.