What kind of risk are you creating when you fire the IT security officer?
When a company decides to fire a big piece of it’s work force – it’s to reduce costs in anticipation of reduced revenues. Risk management and IT governance runs a distant second and third when it’s a question of survival. The IT department is often in the line of fire, since they’re a service organization. The IT security staff may be the first to get cut since companies view information security as a luxury, not as a must to run the business.
There is nothing in the information security policy of any organization that I have seen that talks about how to manage risk when 300 employees are being fired in a short period of time in a business unit.
What is your risk appetite?
A key part of formulating and establishing information security policies for your organization is in deciding how much risk is acceptable and how to minimize unacceptable risk.
This process initially involves undertaking a formal risk assessment which is a critical part of any ISMS. However – it’s a mistake to assume that risk assessment is a static process when the business is a dynamic process. Risk assessment must be dynamic and continuous, moving at the front line of the business not as an after though or not at all.
The ISO 27000 standards provide some guidance on how this risk assessment process is to be undertaken. This guidance is summarized and annotated below:
- Use systematic approach to estimate magnitude of risks (risk analysis)
- Compare estimated risks against risk criteria to measure the significance of the risk (risk evaluation)
- Define the scope of the risk assessment process to improve effectiveness (risk assessment)
- Undertake risk assessments periodically to address changes in assets, risk profiles, threats, safeguards, vulnerabilities and risk appetite (risk management)
- Risk measurement should be undertaken in a methodical manner to produce verifiable results (risk measurement)
The stumbling block to doing continuous risk assessment is both world view (“hire a consultant once every 2 years to check us out”) and technical (“the cost of said consultant”). We have a great free ISO 27001 risk assessment software that can automate the process, save you money and help you respond fast to changes in the business. The software is based on the popular PTA (practical threat analysis) Professional risk assessment tool.