Risk Analysis: Do It Right and Save Money
It sounds straightforward: Risk analysis calls for organizations to identify their key assets, the threats those assets face, the potential cost to the organization should a given threat come to pass and the cost of risk mitigation. When properly executed, risk analysis can help managers make informed decisions on where to invest their security dollars. It can also enable them to launch a comprehensive risk-management program.
In actual practice, however, risk analysis often falls short of this vision. Analytical exercises tend to be too limited in scope to be completely effective.
"It's one of the things in security that many organizations don't do well," said Jon Gossels, president of SystemExperts Corp., a Sudbury, Mass. computer and network security firm. Gossels said that security directives incorporated in such regulations as HIPAA ( Health Insurance Portability and Accountability Act) and PCI (Payment Card Industry) point toward risk analysis. The same holds true for security standards such as ISO 17799, he added.
"They all call for systematic security risk assessment," Gossels said. "Most organizations don't do that yet."
In many cases, explained Gossels, risk analysis tends to focus on tactical projects, such as a new application rollout.
Appetite for Risk
So what should security-minded managers do instead? The key is for executives to determine their greatest risks and their "appetite for those risks," said Ron Lepofsky, chief executive officer of ERE Information Security Auditors, a Toronto-based firm that performs cyberaudits on security standards for regulatory compliance. "Do they accept them or do something about them?"
If executives seek to address a risk, the task becomes putting a price on the downside risk and figuring out the cost of mitigating that risk.
ERE's approach is to conduct an information-security audit, identify vulnerabilities and associate each vulnerability with a business risk. The company presents the client with a list of business risks. The list is circulated among the client's executive committee, with each member estimating the cost of those risks, Lepofsky said. The estimates are plugged in to a spreadsheet tool that ERE provides. The estimates are averaged, and that becomes the projected downside cost.
ERE also identifies steps that the customer must take to mitigate IT security risks. Price quotes for addressing the various risks are obtained and entered into the tool, which then calculates the return on investment. It's then up to the executives to make a yes or no decision on a particular security investment, Lepofsky said.
Symantec Corp.'s consulting arm has developed its own risk-analysis approach, which it calls the Foundation IT Risk Assessment service. Symantec uses workshops and executive interviews, among other techniques, to cull out an organization's risk perceptions, noted Samir Kapuria, director of Global Consulting Services at Symantec.
Symantec also uses a toolset to facilitate risk analysis. Its Information Risk Model program helps gauge the maturity of an organization's capabilities for addressing risk. The toolset lets a customer benchmark competencies against like companies, Kapuria said.
Gossels, meanwhile, said he recommends the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) methodology to clients pursuing risk analysis. OCTAVE was developed by Carnegie Mellon University's SEI (Software Engineering Institute), which describes OCTAVE as a framework for identifying important information assets and the risks to them.
OCTAVE, Gossels said, deals with security in "the proper business context."
Dollars and Risk
The business focus is critical to risk analysis, which Gossels described as "first and foremost a matter of understanding your business."
The risk-analysis process, added Lepofsky, "tends to remove any technobabble and discussion about technology from the executive discussion and allows the executives to talk about two subjects: dollars and risk."
Kapuria said the business and technology sides of the house view risk differently, noting that both sides should be brought together.
"There tends to be a big disconnect between how … technology-management groups look at risk versus how the business looks at risk," he said.
Kapuria said business executives identify risk in terms of brand protection or operational disruption. But as the execution of business functions increasingly relies on IT, a piece of technology infrastructure — a key application server, for instance — can also prove a source of risk, he said.
The goal of Symantec's service is to converge the two perspectives, Kapuria said. Regardless of approach, a thorough risk analysis can lead to wiser security investment.
"Risk analysis helps them manage their dollars more effectively," Lepofsky said, noting that ERE builds risk analysis into all of the secure audits it performs.
"Many organizations think risk assessment is an overhead cost," Gossels said. "In fact, if you do it properly, it can save money in the long run."
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
