IT Compliance Advisor

Nov 21 2011   5:14PM GMT

Address information risk management now — before the going gets tough



Posted by: Kevin Beaver
Tags:
information risk management
managing information risk

Information risk management impacts each and every one of us both professionally and personally. Yet we still can’t seem to properly grasp managing information risk and put it into action. The problem is the bad guys — external hackers, organized cybercrime rings, malicious employees and the like — know what’s really going on.

They know that compliance is a joke in many enterprises. They know that security audits often gloss over the real issues. They know they have free reign and that the odds are in their favor. The reality is that many people don’t know which side of the risk equation they’re on. They assume they have the clarity, context and visibility they need for managing information risk. But in reality, they’re way behind the eight ball — and don’t realize it until it’s too late.

As IT professionals, we all have a choice of how information risk management is handled in our business. It really boils down to when we address the critical issues. We can do it before an incident occurs, which is not done often enough. We can do it during an incident, which is unrealistic because odds are we aren’t even going to know when it’s taking place. We can do it after an incident, which is still the most common effort I see. Finally, we can just ignore the problem and hope we don’t get bitten.

Savvy IT professionals who see the big picture and think long term choose the first option. They put the proper information risk management systems and processes in place to handle the issues immediately, before the going gets tough.

The essence of effective information risk management involves perspective and good old-fashioned common sense. It’s easy to get caught up in the minutiae and overlook the fact that information risk can be tied directly to business risk. The formula for making information risk management work is to highlight that this control satisfies this requirement or risk, and meets this business need. You have to use this in every IT and security-related decision you make — periodically and consistently over time.

The inability to stop doing things that are no longer working is the primary failure of information security. In IT security, you cannot change that which you tolerate. In most cases, there is no “right” or “wrong” way of managing information risk.

Every business and every situation is different. The key is to do whatever it takes to get the job done in your own environment based on your own circumstances. Taking a proactive information risk management approach is the only viable way to keep things in check over the long haul.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: