In November, I blogged about the difference between IT Risk Management and Information Security. For the full post, read here.
There’s a big different between tactical execution and strategic oversight. Therein comes the challenge with most information security programs; they place far too much emphasis on the how and what, and far too little on the why. Information risk management, on the other hand, is necessary to prioritize efforts, and concerns itself with the why.
The problem (and it’s a good problem to have) is that we’ve got a lot of great information available to us regarding how and what. There are libraries of control checklists from numerous standards organizations that provide great common practice guidance around how to secure information assets. As new vulnerabilities are discovered, new patches and workarounds are circulated and proactively communicated through a huge number of alerting services. Modern Information Security practices are mostly controls based — ie they focus on the what. They largely ignore the why — the element of business risk because it’s too difficult to understand.
Where this approach falls down is that there will always be far too much to do. There are too many vulnerabilities to remediate and too many controls to implement across the typical enterprise. As a result, critical deficiencies will go unmanaged. True risk management requires a business perspective on these deficiencies. Only with that business risk perspective is it possible to focus on doing the right things first. That’s lacking in the vast majority of modern businesses, and as a result, time is wasted and risk posture suffers.