Of information risk management, "It's dynamic" said my greybeard friend Anton Aylward - a good point that set me thinking as Anton so often does.
Whereas normally we address information risks as if they are static situations using our crude
risk models and simplistic analysis, we know many things are changing ...
sometimes unpredictably, although often there are discernible trends.
On Probability-Impact Graphs (PIGs), it is possible to
represent changing risks with arrows or trajectories, or even
time-sequences. I generated an animated
GIF PIG once showing how my assessment of malware risks had changed over recent
years, with certain risks ascending (and projected to increase further) whereas
others declined (partly because our controls were reasonably effective).
It's tricky though, and highly subjective ...
and the added complexity/whizz-factor tends to distract attention from the very
pressing current risks, plus the uncertainties that make evaluating and
treating the risks so, errrr, risky (e.g. I didn't foresee the rise of
cryptomining malware, and who knows what novel malware might suddenly appear at
any time?).
A simpler approach is to project or imagine what will be
the most significant information risks for, say, the year or two or three
ahead. You don't need many, perhaps as
few as the "top 5" or "top 10", since treating them
involves a lot of work, while other risks are often also reduced coincidentally
as controls are introduced or improved. It's possible to imagine/project risks even further out, which may suit
a security architectural development or strategic planning approach e.g.
planning to implement biometrics in a few years' time to address increasing
requirements for worker authentication.
Another aspect of strategic planning for information risk
and security management is that the risk modelling, analysis, treatment and
projections are all inherently uncertain, therefore taking us into the realm of
resilience and contingency thinking. An ISO27k Information Security Management System (or, in fact, any structured approach to managing the corporation's risks) that helps the organization cope with
an uncertain future is an asset, whereas one that rigidly restricts its options
may turn out to be a liability if things don't quite go to plan.
The point of this ramble, prompted by Anton's throwaway yet insightful comment
about dynamics, is the need to consider both the 'here and now' and the future
- even if you find yourself still desperately trying to catch up with the past!
No comments:
Post a Comment