When you click on "Accept all cookies"click, you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.

Effective risk management

What is the contribution of IT to a resilient company? A few, certainly not conclusive, considerations by Stefan based on Maslow's hierarchy of needs. In the first part, we have the basic needs addressed, we are now focusing on security needs in two articles.

The starting point of every IT security initiative should be the establishment of systematic risk management. Everyone knows that there is no such thing as absolute security. There are residual risks and resources are always limited. It is therefore important to develop as complete a view of the risks as possible and then really address the right risks.

“Anyone who doesn't know their risks now is likely to get to know them sooner or later under unpleasant circumstances.”

Truism? Yes, sure. In my opinion, the problems are also not that people do not know that risk management is important. There is a lack of implementation. In my opinion, two places are primarily neuralgic.

First: important risks are forgotten

When identifying risks, you shouldn't be satisfied too quickly in the first place. An initial list of risks is always quickly available; everyone usually writes down their favorite topics and “hobbies” very simply. However, it is much better to know a great many risks and then accept them by management decision without countermeasures than on Ignorance is Bliss to set. Of course, this is sometimes a bit more uncomfortable for management, as this leads to direct accountability for these decisions. And yes, the issues can be complex. But to do so, the individual decisions should be properly prepared and justified. Each decision is a cost-benefit analysis. Deliberately not doing something is definitely a much more prudent action than not having done everything adequate to recognize these risks in the first place.

Ideally, the risk list should be initialized initially in a cross-topic security management review. Within this framework, an initial assessment of security risks and their processing status as well as the general level of security maturity can be included for the various business processes. Concrete countermeasures can then be planned and taken on the basis of identified and assessed risks.

But why are relevant risks simply forgotten? One reason is certainly that the world simply does not stand still. Even though I'm not directly familiar with the case: the Bankruptcy of window manufacturer Swisswindows AG illustrates this fairly well. Attackers encrypted the company's data and demanded a ransom for handing over the decryption key. The company saw itself well positioned in IT, but since the backups were stored on the same network, these too were no longer usable in the end. A GAU. Production is at a standstill. It is the death knell for the company with 170 employees.

Ransomware is big business today. Many companies Pay horrendous ransoms in the endbecause they were simply insufficiently prepared for it. What should we learn from this? Yes, ransomware also belongs on a risk list. But perhaps even more important: just because this is now often mentioned in the media, it is not the only risk in the world. Risks must be identified broadly and continuously. No risk catalog is ever complete. The maxim is to be alert. And a fresh look from an outsider from time to time can also help.

Second: the implementation of countermeasures is faltering

We have identified the important risks and decided on countermeasures! Done? It is often surprisingly difficult to actually implement them. It is not always possible to implement everything yourself and investments are necessary. Sometimes it starts with the fact that it is not easy to create a management-appropriate basis for the investment decision and the necessary resources are not released. Here, applicants are required to prepare the connections and choice of variants in a comprehensible manner. Fortunately, it is in the nature of things that security concerns regarding the possible extent of damage can be clearly presented. On the other hand, people in general are inherently weak when it comes to estimating probabilities and usually need some data-based support to be able to realistically assess them.

And then there are always the usual priorities — and sometimes simply distractions — of day-to-day business. And if the division lags behind the profit target, all avoidable costs are delayed as far as possible in order to save the budget. There are many reasons why the agreed implementation sometimes does not become a reality for a long time. The only really effective remedy is probably: stick with it after the decision has been made and demand results. The owner of a risk is not released from duty with the decision to do something, but only when the agreed countermeasures have been implemented. It is certainly not the duty of management to carry out what is necessary itself. But to make sure of that. In this important area, which can be forgotten without dedicated employees responsible for it, a little more control is definitely good.

Would you like to establish systematic and up-to-date risk management? Contact us for targeted external support based on economic criteria.

--

About the author

Stefan is a managing partner at linkyard. For over a decade, he has worked as an auditor on quality management and information security. On a part-time basis, he is a lecturer in information security and project management at a university of applied sciences and is also happy to assist you on the subject of risk management.
stefan.haller@linkyard.ch | +41 78 746 51 16