Managing IT Security Risks:
A number of industry and market factors have increasingly caused the management of corporate risk to become a critical issue for business executives and corporate boards. Not the least of these has been the increased scrutiny for all company activities in the form of legislative and industry mandates. In addition, the increased visibility, and catastrophic financial effects of a number of recent corporate security breaches have made the management of security risk of all types into a front-burner issue for all corporations.
Possibly the most important element of any enterprise risk management (ERM) program relates to IT security risks. The most important elements of IT security risk management involve protection of critical corporate assets, and the continual availability of IT services. If managing IT security risks inherent in corporate asset protection and service continuity are properly mitigated and minimized, the overall risks to the corporation are significantly reduced. In addition, reducing IT security risks through the adoption of strong internal security controls makes the task of regulatory compliance much easier.
This paper considers the essential elements of a corporate risk program and discusses methods of dealing with risk, based on the type of risk and the level of risk tolerance adopted by the company. It also explains the essential elements of IT security risk management, and explores some technology solutions that can be used to significantly reduce the risk of IT security breaches.
The Increasing Importance of Security Risk Management:
Management of corporate risk has traditionally been done in, at best, an informal and usually localized way across most corporations. It has been managed in local "silos" in which each department or business unit attempted to reduce the overall risk of its operations, usually without coordination with other related corporate groups. Even worse, it has often been treated as a side issue, not as a formal discipline that should be part of all operational and decision-making procedures.
Recently, the effects of this approach have become painfully obvious. A number of factors have caused this shift in thinking about formal IT risk management disciplines. These factors include:
-The complexity and interdependency of corporate risk. Today's business world is dramatically more complex than in past years. The online availability of applications and data, the expansion of complex partner and supplier relationships, and the speed of today's economic changes mean that there are simply many more risks that enterprises need to consider today. In addition, risks are rarely self-contained; they are often related to each other in complex and hard to manage ways. A failure in one area of the business can have dramatic effects on other areas.
-The rise of legislative mandates. Regulatory compliance has become the hot topic of the past few years, spurred in large part by the recent corporate scandals. Companies now have to comply with a complex and often unclear set of requirements from both laws and industry mandates. And, compliance has become personal. CEOs now can be held personally responsible for their company's compliance, and this fact creates a strong incentive to follow both the spirit and the letter of the law.
- Increased globalization. The increased geographical span of many corporations, and the complexity of the international regulations that demand compliance, imply that risk must now be treated on a world-wide basis. Such simple acts as providing customer information to a foreign subsidiary can now pose significant legal risks. In addition, the drive to expand the company's business into new areas, while at the same time reducing costs, creates pressures and risks that must be carefully managed.
- Increased visibility of catastrophic losses. The news is rife with stories about companies that have suffered catastrophic financial and corporate image losses, many of which have resulted in the company's downfall. Such companies as Barings PLC, Worldcom, Enron and others are examples of the failure to manage and control risk at all levels. No company wants to end up being in this list, and so they are adopting new and more stringent techniques and controls for managing corporate risk.
These factors are among the most important reasons that corporations are moving towards formal risk management programs and initiatives. IT Risk management has become a dominant business imperative, alongside the more familiar ones of ROI and cost reduction.
