Sep 05 2007

Risk Management isn’t prioritised enough

Published by under Security

One thing that I’m quite often astonished about is how low awareness is when it comes to risk management and where risk management can and should be applied. So reading an interview with Thomas Djurling, FRA (the National Defence Radio Establishment) in Computer Sweden where he says that Swedish companies are naive when it comes to industrial espionage and I couldn’t agree more. But, I clearly don’t agree with that Swedish governmental organisation such as FRA, SÄPO (Swedish Security Service) and SITIC (Sitic is a part of the National Post and Telecom Agency, PTS) should offer the services to the public due to that there are quite a few other security vendors on the Swedish marked that have the proper knowledge.

This problem is rather that knowledge and awareness regarding how to handle risk management is quite low and if either FRA, SÄPO or SITIC should offer their services the suggestion would be to focus within their own domains, i.e. governmental institutions. For example to quote FRA’s own home page it also clearly describes their mission:

FRA is also engaged in information assurance. On demand, we support government authorities and state owned companies regarding current IT threats as well as general advice to improve security.

The problem is that it says on-demand; what about a mandatory security audit once or every second year? Currently today it’s up to the local authorities if they want to perform a security audit or not and the audit material I’ve seen are often focused on technical aspects. What should be said is that I’ve also seen great efforts of implementing security standards; but the difference between governmental organisations is way too big.

I’ve seen many government authorities and state owned companies that lack a proper implemented awareness program. Risk can’t be eliminated, but it can be minimized to a level where the organisation can accept it. It’s all about how much resource you’re willing to put in. When speaking about risks most people think security and if speaking about IT-security most people think firewall, anti virus and so on. Also when speaking about changes within an organisation, for example changing a procedure or implementation of a new process, it’s quite common that no kind of risk analyse is done to see how a failure to implement the change will affect the organisation. The failure itself can be that the procedure is badly documented and by that the users or the employees don’t know how to act up on in a certain situation. This it self can then lead to that the employees can’t fulfil the duties and by that we have a monetary loss. Of course it’s not always about monetary losses since risk also includes for example negative publicity in media or employees losing the faith on the company – try defining the monetary value for that!

It’s all about identifying, minimizing and accepting risk that can be found in all activities and assets in an organisation; if this can’t be accepted; there is a serious problem.

Kim Haverblad

Note: For more reading about this topic, please check the article at Computer Sweden (Swedish).

No comments

Trackback URI | Kommentars RSS

Leave comment