Wednesday, September 10, 2008

A Simple Rationale for Risk Management (and IT Security)

What the heck is this thing we call "IT security"?

I've been in IT and information security for over 12 years, and nobody has ever really convinced me that they have actually achieved a clear and focused viewpoint. Some come very, very close. Most omit something of key relevance.

But what I do know is that a lot of things are done in the name of security, and those things are usually looked at a trade off between convenience and effectiveness. Basically there is this idea that controlling anything is hard, and the harder any particular something is, the less of it we want clogging up the engines of our business. Competition is hard enough without handicapping ourselves at the starting line. And so we look at this thing we don't really understand, called security, as if was something "extra", and the conclusion we reach is: How little spending can I get away with on it and still do business?

Well, maybe asking about security wasn't the best core question after all. I have a better one:

What is doing business, really?

Ultimately, it's making decisions in the pursuit of some goal. Usually that goal is seen as turning a profit, but even if you have another mission, you can't lose money for long before you not doing much anymore. And these decisions we make can really be reduced to only two concerns: their potential benefits and their potential costs.

So fully half of our responsibility in making the right decisions for our businesses is managing the risks that we face! We could certainly pretend that tradeoffs don't exist, and that all income simply flows into our pockets, but that wouldn't make our profit greater than our expenses. To do that we need to focus on both increasing our profits *and* managing our risks/costs.

But, as we've all learned at one point or another, the world isn't that predictable or cooperative. We might have some idea of what costs we'll face, but we often don't really know until our 20/20 hindsight kicks in. This is exactly where the benefits of risk management start to shine. Managing our risks is, at its root, doing business in a way that limits our potential losses. But at it's very, very best, risk management can enhance our ability to push past our previous performance limits, allowing us confidently grasp those golden opportunities that would have been beyond our reach before.

Most IT operational risks we defend against are biased toward loss. This means that if everything goes according to plan, we're right where we expected to be, but if things go badly, we stand to lose a great deal. Not the best iterated investment strategy. However, by limiting our downside risks through diligence and care, we can reclaim a portion of our risk tolerance that we previously squandered. We can bank some risk for another day. And believe me, having a pocketful of risk to spend can be very handy indeed, especially if we're careful to allocate that risk on endeavors that actually have some upside potential.

Business is risky in the same way that skydiving is risky; it's never quite a sure thing, but it's not that bad after you figure out what a parachute is (and why knowing where your ripcord is located can be useful).

So, what the heck is this thing we call "IT security"?

IT Security is what happens when we successfully manage our risks. Plain and simple.


Chris Healey

No comments: