Information Risk Management
by David A. Meunier, CISSP, HISP
VP Information Risk Management & CISO

“Information Risk Management is the Holistic process of institutionalizing the identification, analysis, evaluation, mitigation, monitoring and communication of risk to achieve compliance with corporate policy, regulatory requirements and processes in accordance with the CIA Triad of Confidentiality, Availability and Integrity of information.”

That statement accurately outlines the tremendous amount of effort required to achieve risk reduction and regulatory compliance. A key success factor relies on the security leader’s ability to reduce the potential information risk his or her business faces on a daily basis. Risk reduction and compliance success cannot be fully achieved by the security leader and his/her organization alone. True success requires a methodology, full business participation from all functional areas (e.g. Legal, HR, Finance, Compliance, etc.) and buy-in. Security leaders are the nucleus in organizing the effort by assessing the situation, translating the risk into business terms and rallying support. No risk is ever truly reduced to zero, or entirely eliminated. Risk just continues to evolve and move to the next weakest link, which is why the security leader’s main goal becomes one of managing it. Risk management provides the security leader and business with the ability to organize and channel risk to where they will be the most successful in mitigating it. With limited resources, budget and time, risks need to be identified, prioritized and addressed, based on each risk’s impact to the business.

Why is there all this hype over risk management, its importance and how it differs from information security? One explanation is that the volume of risk has increased, regulatory compliance has become extremely complex and rapid technology advancements have made the task virtually impossible. The security leader and business need a methodology to determine where to efficiently focus their resources. Technology advancements have provided numerous capabilities for users and wrong-doers to move information undetected. Combine these new capabilities with the lag in security protection technology (like Web 2.0 for example) and you have a daunting challenge. In essence, today it is about securing the broader business process versus securing the technology itself. This challenging task enables the business to be dynamic in its pursuit of new opportunities.

In summary, businesses have four options in handling risk; mitigation, avoidance, acceptance or transference. The challenge in making that decision lies in understanding what the risks are, where they are and their impact on your business. You cannot manage what you do not know and what you do not know is ultimately what will hurt you. Determining what to do, how to reach a decision and when to execute it requires an overall risk management approach. Components of an Information Risk Management process include strategy, organization, planning, risk assessment, risk analysis, risk handling, monitoring, documentation, measurement and communication. When these components are effectively and efficiently incorporated into a cyclical process, the outcome will be a program that provides the security leader and business with the best chance for success in managing information risk.