Professional Education and Career Blog

Risk Management: How to Properly Implement a Robust Policy

barbariansSecurity has become one of the most important aspects of modern corporate life. One only needs to read the news to see how damaging a security breach can be, not only for their customers, but for the perception of the company in the minds of consumers. For these and other reasons, it’s crucial to develop a comprehensive strategy to manage your current risks and maintain vigilance of future risks. Here are some tips for keeping your company safe and secure.

Tip 1: Take the Risk Seriously

This might seem obvious, but too many companies pay lip service to security, but only realize after it’s too late that they really didn’t do enough. Your risk management policy should be a cornerstone of the company, along with sales, marketing, R&D, etc. It’s not enough to put a “security hat” on someone and move on. It needs to be a central interest of the company that gets constant review.

Tip 2: Accountability Starts at the Top

Risk acceptance is a necessary part of all risk management, whereby risks are specifically documented with mitigation strategies. However, your security department should not be the one that accepts the risk. Ultimately a corporate officer should be signing the risk acceptance form, which means the business is accepting the risk, not an individual.

Tip 3: Reevaluate Risks and Mitigation at Regular Intervals

This is another area that tends to get more rubber-stamping than actual action. What was impractical five years ago might be practical now. Risk assessments should be given a fresh airing to see what can be improved.

Tip 4: Testing, Testing, Testing

Most of the companies we read about that had major security breaches probably believed they had airtight, adequate security. So how to explain when it fails? Most likely they had false confidence in their security that could have been uncovered through proper auditing. Security is a topic that is constantly changing and evolving, and it’s difficult to keep up. Just as people should always test their software backups to make sure they’re readable in case of emergency, so should people test their security to make sure it’s really doing what they think it’s doing.

Tip 5: Risk Should Drive Purchasing Decisions

How much should you spend on risk mitigation and security? This should be aligned with what your risk impact analysis shows as potential loss if the risks were exploited. Look at what is most at risk and use that information to drive the needed costs. Risk mitigation should be a return-on-security-investment calculation.

Tip 6: Don’t Let it Get Bogged Down in Bureaucracy

The reason many companies end up failing at security is because the burden becomes so painful and unmanageable that people skip it in the name of “getting things done.” The risk management process should be as streamlined and clearly defined as possible, implemented at a centralized location. The process of risk management should get its fair share of attention, and not just the end result.

Tip 7: Risk Management is a Business Process

Too often the CIO position and security department is treated as a “necessary evil” by other management. They’d say it’s important, but not as important as revenues and other “real” business processes. That attitude lasts until a major security breach happens, such as what happened at Target recently, and suddenly it’s apparent that security is very much a “real” business process. Don’t make the mistake of thinking risk management is separate from the business of generating profit.

bioscanTip 8: An Imperfect Strategy is Better than No Strategy

Don’t wait for the perfect framework to be designed when you know there’s a problem to be solved. Like the story of the boy who put his finger in the dike, sometimes you need to stop the leak until the permanent fix can be implemented. Risk is mitigated through action.

Tip 9: Develop Your Internal People

You can’t develop great risk management by just purchasing technology and paying consultants. Ultimately your security and risk mitigation is only as good as the people implementing those plans. Have a plan in place for developing your staff and motivating them to continue to improve.