I have been in this field for over 30 years and this is the most exciting time to be dealing with security and risk management. The good news is that there are more tools, resources and support for the industry out there now than at any time in the past. The potential downside of that is there are a lot more people using a lot of different methods to try have a less-than-desirable effect on all of us.
Businesses need to look at a number of different methods to deal with things like web attacks, social engineering, identity theft, scams, compliance and plain, old-fashioned theft. Security, Risk Management and Compliance are no longer items to be looked at after big decisions are made. Rather, these three key components should be part of every key decision. Every decision has an inherent level of risk. I do not advocate inserting controls for the sake of controls or compliance just as I do not advocate ignoring risk and hoping that nothing happens. Every good decision should be made by looking at the potential downside of little or no controls and compare that with the potential downside of the cost of controls. The right balance is the right answer (see diagram).
The big question posed by this is “how do I determine risk and the associated costs?” This should not be a complicated issue. You should know your business better than anyone. Because of that, you should know what feels right and what does not. Risk management can be simplified.
Some people look at it as a simple equation: Risk = Threat x Vulnerability x Cost.
Threat is the frequency of potentially adverse events. Vulnerability is the likelihood of success of a particular threat. Cost is the total cost of the impact of a particular threat. If you can reduce the value of any one of these three factors to near-zero, you have reduced your risk to near-zero. The business of risk is really business.
Rackspace takes risk very seriously. Both internally and for our customers. I’m interested to hear how your company deals with risk management and if you’ve ever dealt with companies who were lacking in this department.