Recommendations for Implementing a Practical Risk Management Program

This final post in the series will be some recommendations on “how” to implement a practical risk management in your organization. Check out parts one and two for the “why” and “what” of practical risk management.

Educate Decision Makers - Practical risk management relies on buy in for the decision makers. Only by understanding the process can they make good decisions about which risks are accepted and which need to be reduced. A clear definition of risk severity levels is critical to this step.

Integrate to Existing Processes – Chances are you already have processes in place to manage and control new and changing technology and processes. Tie risk management to these processes instead of making another meeting. A Project Management Office, purchasing process, technical review process, and change management process are all great candidates to integrate with risk management. Try to catch the potential risks as early as possible in the process. It’s much, much easier to change a process or technology before implementation.

U.S. companies are paying more to notify people impacted by data breaches, according to the 2011 Cost of a Data Breach Study: United States. The average cost to notify victims of breach increased in this year’s study from approximately $510,000 to $560,000. At the same time, the average size of a breach is down 16 percent and the costs associated with the detection and escalation of data breach events declined as well, suggesting that companies may be more efficient in investigating data breaches.

So, if companies are better at detecting breaches and breaches involve fewer records, why are notification costs continuing to creep up?

The simple answer is there are more laws and regulations governing data breach notification. Forty-six states now have data breach notification laws and there are other regulatory requirements to deal with, for instance HIPAA and HITECH. While each state’s requirements for notification vary, notification is typically required when personal identifying information (PII) has been or is “reasonably believed” to have been breached.

Join Symantec security experts on Twitter (using the #ISTR hashtag) on Tuesday, May 15, at 10 a.m. PT / 1 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report, Volume 17.

This year’s report, which covers the major threat trends observed by Symantec in 2011, highlights several troubling developments. For example:

• Symantec blocked more than 5.5 billion malicious attacks in 2011, an increase of 81 percent over the previous year.
• The number of unique malware variants increased to 403 million and the number of Web attacks blocked per day increased by 36 percent.
• Targeted attacks are growing, with the number of daily targeted attacks increasing from 77 per day to 82 per day by the end of 2011. The targets of these attacks are also becoming more diverse, with SMBs being targeted in addition to large enterprises.

IT compliance may not be as thrilling as the latest Tablet computer or Smartphone that users are bringing into your organization. However, for many organizations it’s the main driver for justifying IT security budgets used to protect the organization’s critical information that users have access to on those shiny new Tablets or Smartphones.

Admittedly, it’s fairly easy to secure funding for compliance. After all, you really don’t have a choice – you must comply with all the mandates, rules and regulations that are central to your industry. But, being compliant is just the start of what you must do. Adequately protecting that information means going beyond the minimum – which many are guilty of doing – despite everyone in IT recognizing that being compliant doesn’t equate to being secure. The problem is that justifying additional security budget beyond the compliance checklist remains a significant challenge for most IT departments.

Tackling Risk Management, One Step at a Time

In part one of the series I explained why information security programs should include practical risk management as a key component. In this post I will explain “the what” of practical risk management with some guidelines. The final post in the series will be “the how” of implementing practical risk management in your environment.

All information security programs are unique. The interactions of business, industry, and technology are too complex to prescribe a definitive framework for practical risk management. Instead, I will outline various guidelines and themes that any practical risk framework should contain.

Business Compatible – Above all, practical risk management needs to acknowledge and be compatible with the business it will protect. Most often the people who will accept the risk or approve the mitigation will not be security experts per se – however, they will understand the business and its goals/objectives. Presenting the risk by acknowledging business needs as well as security dangers will defuse the perception that security hinders the business instead of protecting it.