You may recall that in my last post I wrote:

“Note that when I say above “basic approaches to Information Risk/Security Management” I’m using the word “management” in its strictest sense — the management of a Risk program, not management of security devices. There’s a big difference there, and people often confuse the two. I’ve found those most guilty of that confusion are the “Instinctive” types.”

Today I’d like to expand upon that statement. In this, I’m going to try to get to the heart of what exactly is Risk Management. Not a dictionary definition per, se – but what it means to have risk management. I think that today it’ll be easier for me to start with what isn’t Risk Management.

First, as I mentioned, Risk Management isn’t management of security devices. Regardless of what a device may do for you. That, I would describe as Control Management.

Next, from what I’ve seen in the security market, Risk Management isn’t the function of any one vendor box or group of boxes. Mike Rothman is absolutely right on in that linked article.  The marketing of such leads a lot of people to be dismissive of vendors and not trust the term “risk management” in general.

Finally, Risk Management isn’t a once a year BIA and Risk Assessment using one of the following: NIST 800-30, OCTAVE, COSO, Basel II etc… Though this approach makes a nice binder for your shelf – it’s about as useful as government compliance, which is to say, it’s another hoop for us all to jump over. Okay, maybe not Basel and COSO – but my point is Risk Management isn’t following a checklist on a periodic basis.

So what is Risk Management? That’s more post than I’ve got time for today, but I’ll leave you with the basic following thought for discussion:

Risk Management happens in an organization when it’s analysts and engineers regularly/constantly consider likelihood and impact. It’s when the mission of a department isn’t just implementing controls – it’s understanding the impact of those controls (or lack thereof) on business development and the ability to effectively express that impact to the rest of the organization.

Let me state that at least by using the last sentence above, I can understand how people can argue for Risk Management as an “enabler”. When compared to the instinctive approach to Control Management that passes for Security Management in many organizations, Risk Management can be thought of as such.

Posted on October 19