It’s a risky world now. Mostly fueled by twenty-four hour media transmission so that Annapolis was on CNN a few weeks ago, when a dead construction worker dangled on a crane for over an hour. And since then — we have watched the earthquake in China, the cyclone in Myanmar, the crane collapse in NYC, and much more.
That being said — IT management worries less about natural disasters and more about their web site being hacked, phishing attacks, associates bringing viruses in from their home offices, and the regulators visiting them. Regulators are often more feared than a cyclone or a tornado, because of the expense and havoc they can trigger. As we continue to work with regulators in both finance and healthcare, you can understand why they continue to stress the risk assessment as the foundation of the IT security programs.
The risk assessment by itself does not magical and instant protection against security intrusions, but it does something more important — it provides a metric to measure against. You can call it the cornerstone of a security program because it measures against an existing standard and see how your IT infrastructure stacks up. Although different standards exist, such as FFIEC, SB 1386, FACT, GLBA, BSA, ISO 27001, HIPAA, PCI and many more — they have common components that look at how employees do their jobs, and how they use the security controls they have available to them.
I met Peter Drucker at Claremont University when he was about 88 years old (he died in 2005 at the age of 96), and he was the “father of modern management”. He told me that security assessment should be integrated into the fabric of management because managers need numbers — and “if you can’t measure it, you can’t manage it”. So that’s what the risk assessment provides — it provides a metric so the organization can start to measure its performance in these key areas.
It’s just a plus that the risk assessments incorporate compliance assessments by using the measurement against a standard as the basis for the assessment. This shows you where you are today, where you are going, and (sometimes) how fast, and how expensive it is going to be to get there.
Caroline R. Hamilton is the Founder of RiskWatch, Inc., the original top-rated risk assessment software. Hamilton served on the NIST Model-Builder’s Workshop on Risk Management from 1988-1995 and on the National Security Agency’s Network Rating Workshop. In addition, she was a member of the U.S. Department of Defense’s Defensive Information Warfare Risk Management Model and has worked on a variety of risk assessment and risk management groups, including the ASIS Information Technology Security Council and the IBM Data Governance Council, created by Steven Adler. Hamilton also received the Maritime Security Council’s Distinguished Service Award and has written for a variety of books and magazines including the CSI Alert, the Computer Security Journal, the ISSA Newsletter, The HIPAA Compliance Handbook, Defense News, Security & Design, Cargo Security and many other publications. Based in Annapolis, Maryland, Hamilton is a graduate of the University of California.