Effective risk management
What is the contribution of IT to a resilient enterprise? A few, certainly not conclusive, considerations by Stefan based on Maslow's pyramid of needs. In the first part we have the basic needs addressed, and now we are devoting two articles to security needs.
The starting point of any initiative in the field of IT security should be the establishment of a systematic risk management. Everyone knows that there is no such thing as absolute security. There are residual risks and resources are always limited. Accordingly, it is important to gain as complete a view as possible of the risks and then to really address the right risks.
"Those who don't know their risks now, sooner or later they may find themselves in unpleasant circumstances"
Truism? Yeah, sure. In my opinion, the problems do not lie in the fact that people do not know that risk management is important. There is a lack of implementation. In my view, there are two main points of neuralgia.
First: important risks are forgotten
When identifying risks, one should not be satisfied too quickly in the first instance. A first risk list is always quickly at hand, everyone writes down their favourite topics and "hobbyhorses" are usually quite simple. But it is much better to know a lot of risks and then accept them by management decision without countermeasures than to rely on Ignorance is Bliss. Of course, this is sometimes a little more uncomfortable for the management, as it leads to direct accountability for these decisions. And yes, the issues can be complex. But for this purpose, the individual decisions should be properly prepared and justified. Each decision is a cost-benefit analysis. Not doing something consciously is definitely a much more prudent action than not having done everything adequately to recognize these risks at all.
Ideally, the risk list is initially initialized in a cross-topic security management review. In this review, you can take an initial inventory of security risks and their processing status for the various business processes, as well as the general level of maturity with regard to security. Concrete countermeasures can then be planned and implemented on the basis of the identified and assessed risks.
But why are relevant risks simply forgotten? One reason is certainly that the world simply does not stand still. Even if I am not directly familiar with the case: the bankruptcy of the window manufacturer Swisswindows AG illustrates this quite well. Attackers encrypted the company's data and demanded a ransom for the release of the key for decryption. The company considered itself well-positioned in terms of IT, but since the backups were kept on the same network, they too were ultimately unusable. A disaster. Production came to a standstill. It is the death blow for the company with 170 employees.
Ransomware is big business today. Many companies end up paying horrendous ransoms because they were simply not sufficiently prepared for it. What should we learn from this? Yes, ransomware also belongs on a risk list. But perhaps even more important: just because this is now often mentioned in the media, it is not the only risk in the world. Risks must be identified broadly and continuously. No risk catalogue is ever complete. The maxim is to be vigilant. And every now and then a fresh look from an outsider can also help.
Second: the implementation of countermeasures is faltering
We have identified the important risks and decided on countermeasures! Done? Often it is surprisingly difficult to get them actually implemented. Not everything can always be implemented by the company itself and investments are necessary. Sometimes it already starts with the fact that it is not easy at all to create a management appropriate basis for the investment decision and the necessary resources are not released. Here, the applicants are required to prepare the correlations and choice of variants in a comprehensible way. Fortunately, it is in the nature of things that safety concerns regarding the possible extent of damage can be clearly presented. In contrast, people in general are inherently weak when it comes to estimating probabilities and usually need some data-based support to realistically assess them.
And then there are always the usual priorities - and sometimes simply distractions - of daily business. And if the business unit lags behind the profit target, all avoidable costs are delayed as much as possible to save the budget. There are many reasons why the decided implementation sometimes does not become reality for a long time. The only really effective remedy is to stick with it after the decision has been made and demand results. The owner of a risk is not relieved of his obligation to do something with the decision, but only when the decided countermeasures have been implemented. It is certainly not the duty of management to carry out the necessary measures themselves. But to ensure it is. In this important area, which can be forgotten without dedicated employees responsible for it, a little more control is definitely beneficial.
Would you like to establish a systematic and modern risk management? Contact us for a targeted external support based on economic criteria.
About the author
Stefan is Managing Partner at linkyard. For more than a decade he has been working as an auditor in quality management and information security. In addition, he works as a lecturer for information security and project management at a university of applied sciences and is happy to support you in the field of risk
management. email@example.com | +41 78 746 51 16