Traditionally when we talk about risk assessment, we think about the resultant risk rating based on the loss of confidentiality, integrity and availability. When you have worked out your risk rating you essentially have three options, either:
- Accept the risk and do nothing
- Fix or mitigate the risk
- Transfer the risk to a 3rd party
At The Security Bureau we believe that two additional factors should influence your masterplan to manage the risk.
We suggest that you take into consideration the technical difficulty and the political difficulty. This will help you to find the right solution to manage your risk.
Technical difficulty will gauge whether you are able to adequately reduce the risk on technical terms. Perhaps your technology is not advanced enough. If this is the case, you may need to assess your budget in terms of your current technical difficulty. Also whether or not you need to buy in the technical expertise to help reduce your risk.
In addition to technical difficulty, you may need to think about the potential ‘political difficulty’. That is, how the business will be impacted with the controls that have been intended to reduce the risk. For example, if you have confidential information that can be accessed through staff e-mail, then you may think it would necessary to restrict staff access to e-mail outside of work. However, this could affect the business due to staff not being able to operate outside of office hours. Employees who travel often or who need to respond to urgent client e-mails outside of work hours would be negatively impacted. Considering that dealing with risk in this way is somewhat drastic and affects the hundreds (even thousands) of staff, there may so much opposition that particular solutions to risk reduction is not feasible.
For these reasons, it’s important to remember the following point. When trying to tackle your risk, the solutions that are available to you could be determined by factors that are out of your control. Technical and political difficulty is worth considering when assessing your risk. We believe that security and business objectives should be aligned and finely balanced.
So when you’ve calculated your risk rating, make sure you consider all your options. Do this before you settle on a particular strategy.