There is an old axiom - time is money. Nowhere is that more true than in the corporate world, where hours can exponentially add up to dollars spent. However, an often overlooked component of the time equals money equation is risk, and risk comes in all forms, ranging from business decisions to information access.
Take for example the impact of risk on the typical corporate IT department - managing risk takes time and money, two elements IT departments are in short supply of. That has led to proactive risk management becoming a luxury that many IT departments feel that they cannot afford. However, nothing could be further from the truth - because IT departments fail to calculate the cost of not mitigating risk, as opposed to calculating the upfront costs of managing risk.
Simply put, a security breach or data loss can cost significantly more in both time and money than properly handling the risk to begin with, and that is exactly where proactive risk management comes into the IT picture. It all comes down to the "cost of not doing business", as opposed to the "cost of doing business."
Some larger organizations are handling threat management proactively and have even gone as far as dedicating personnel to IS (Information Security), all in a quest to protect data, intellectual property and enhance productivity. However, those organizations number in the few, especially when compared to the plethora of small and medium enterprise (SME) that simply do not have the resources to dedicate personnel to risk management.
Perhaps the key to leveraging proactive risk management comes in the form of understanding what risk management is all about, and only then can SME level business IT departments can make the argument to invest in the proper tools, services and partners to make proactive risk management a reality.
Risk management consists of four distinct components, each with its own nuances and benefits to an organization. Those components can be broken down to:
- Risk Avoidance: An objective where one determines if a practice creates too much risk, then that practice is avoided. The reasons that make the practice too risky can be many, ranging from BYOD (bring your own device initiatives) to security patches to outsourcing support. For example, if you are concerned about compliance, you should institute security controls or hurricanes, locate your business in an area in which hurricanes do not occur — at least not typically. There is no reason to insure against that risk because you've avoided it.
- Risk Prevention/Mitigation: Once potential risk is identified, it is critical to identify the tools, policies, procedures and steps to prevent the potential risk from impacting operations, or at the very least to reduce the damages caused by the risk.
- Risk Retention: Normal business operations always entail some risk, no matter how minor - that level of risk has to be retained to successfully conduct operations. In the IT realm, that low level risk could be attributed to elements such as bugs, failed patches, hardware failure and so on. In other words, there is always some risk that IT operations can be impacted. The key here is to identify what level of risk is acceptable and have a plan to deal with failures caused by that risk.
- Risk Transfer: A concept that entails transferring risk to another entity, either because of budget constraints or assigned duties or infrastructure/process ownership. The trick with risk transfer is to determine who should own the risk. For example, a services organization may be contracted to handle hardware (and warranty related) repairs, shifting the mitigation of hardware problems (the identified risk) to that organization. Other examples include software support contracts, insurance policies and contractual agreements, such as SLAs (service level agreements).
Knowing the components that make up risk management helps managers determine what the most important element of risk is, and that is knowing what risks exists. That takes a methodological approach of inventorying risk. A process that requires comprehensive tool sets that automate discovery, organization and reporting. Nowhere is that more important than in the IT realm, where complexity, as well as intricate relationships prove to be abundant.
While some off the shelf tools accomplish automating IT inventory, very few - if any can associate risk with software and hardware components discovered during automated scans. That process usually takes additional forensics technologies, as well as manual interpretation of the results.
However, there are some short cuts and up and coming products that can simplify the process, giving managers the ability to deal with risk, without an inordinate expenditure of time. The key to the process is using the right tool - one that balances inventory processes against security scans against scheduled maintenance - which in effect, transforms risk management into a traditional IT process, that is part of a larger whole. With that in mind, it becomes easier for network managers to make the financial arguments that can lead to funding for acquiring those tools - which ultimately deliver much more beyond simple network and security management.
Frank J. Ohlhorst is an award-winning technology journalist, author, professional speaker and IT business consultant. He has worked in editorial at CRN, eWeek and Channel Insider, and is the author of Big Data Analytics. His certifications include MCNE, MCSE, A+, N+, L+, and Security+.