October 16, 2012, 4:23 PM — It is frustrating to see the amount of budget allocated to compliance when you consider that most of the money goes to documenting security controls, not improving defenses. One of the biggest reasons is that risk management, a carry-over from the bigger world of business, does not work in IT security.
While few small businesses have formal risk management programs, most large business do. They even have risk committees that are drawn from the board of directors, often headed up by the CFO. The goal is to identify risks and either reduce their potential impact with compensating controls or purchase insurance to further reduce the business risk.
SECURITY ROUNDTABLE: See it, protect it, control it
For example, a large airline, thanks to its risk management program, may recognize rising fuel prices could hurt its competitiveness and decide to hedge fuel on the open market, or a car manufacturer that has gone too far down the path of Just-In-Time supply may start to warehouse critical components in case a supplier in Thailand is wiped out by a flood.
But try to translate risk management theories to IT and you run into troubles. Every risk management program starts with the dictate to identify all IT assets and weight them based on their criticality to business operations. That leads to the first big problem.
1. It is expensive and almost impossible to identify all IT assets.
While at first glance identifying assets appears to be a simple problem, it is actually extremely complex; almost fractally complex. IT assets include every computer (desktop, laptop, server, print server), every application (database, email, ERP), every data set (customer lists, earth resources data, product pricing guide), all email, all documents in all versions, al identities and all communications.
Now, add in the proliferation of devices coming in with consumerization -- smartphones, iPads, even e-readers -- and the data that reside on them. Then add in the dynamic nature of the cloud, where servers can be in a constant state of flux as load is elastically met with more or fewer virtual machines. Like I said, it's complicated.
The next big problem?
2. It is impossible to assign value to IT assets.