Risk Management Above All

I have people come to me all the time relating something to what they want to do with whether a particular system has been certified and accredited yet.  My answer is almost always “I don’t care about C&A, I care about risk management!”
I’ve worked on projects where my goal was, if I accomplished anything else, I was going to teach the team how to do risk management.

Why is risk management so important?  Well, for starters, you need to go into information security management knowing and accepting the following facts:

• Fact: There is always a shortage of money
• Fact: There is always a shortage of people
• Fact: There is always a shortage of time
• Fact: You will always have shortages because if you have enough resources for security, you slow down progress on the business end.

Let’s look at a related scenario from a different industry — a hospital emergency room — for some insight.  They deal primarily with time and people, and they only have so many resources to manage.  That means that they have to prioritize who gets helped first.

Inside of the emergency room, they have a pretty well-established process to determine who gets the help first.  They perform triage to evaluate and prioritize patients into categories then they treat the worst first.

Sounds like risk assessment and risk management, doesn’t it?  Good information security managers know how to do triage.  That’s how you budget out your time, people, and money.  The rest is basic project management skills.

• Core Belief #4 — Compliance is a Dead-End
• Core Belief #3 — Learn Something from the Cavalry
• Another Day, Another Vendor
• Core Belief #1 — Security is not Different
• My 2 Obsessions this Week