Once Upon a Time – the Information Risk Management Bed Time Story

Once upon a time in IRM Once upon a time a young boy asked his father for a bedtime story and wanted his favourite tale. Now the boy was a curious child, and it wasn’t ‘Who’s Afraid of the Big Bad Wolf” he was after, it was “How to implement effective risk management in a business environment”.

As well as being a good dad, the man was a consummate information security professional, so he happily launched into one of his own favourite stories. The boy was regaled with tales of wicked Threat Sources influencing poor Threat Actors to result in an impact that could only be countered by heroic knights wielding strong security controls. Within 30 seconds the child was fast asleep, smiling at how good this story was at making him nod off.

Zzzzzzzzzzz – are you still awake?

Regrettably the soporific effects of the IRM story are all too well known. As soon as we security people start to explain the obvious benefits of information risk management the eyes of our audience glaze over and the snoring starts. That’s tough! We know it makes sense and our argument is strong, yet getting it across to people and making it relevant is difficult. So, if you’re not sitting too comfortably, let me try again.

Can you tell the big bad wolf from the wicked queen?

Managing a modern business, private or public sector organisation requires the Board to know what the critical services to customers are and what mechanisms are needed to manage the risks (financial, regulatory, market, competitors etc) to deliver those services. Business risk management processes, supported by tools, are used to monitor risks and to support informed decisions on how best to take advantage of opportunities and avoid pitfalls.

Protecting your kingdom

Risks to information should be an intrinsic part of the business risk management process but are often left out of it. After all information risk is an IT ‘thing’ isn’t it, and something for the CFO and the security manager to deal with? In fact information risks are not a specifically IT matter since information exists in many forms; from company IPR data to staff personal details, to sensitive client information that you may have been trusted with. Information is crucial to delivering the business services and knowing what information is essential to what business process is the first step to understanding the problem.

Can you answer the following questions satisfactorily?

  1. Do you know what your organisation’s key information assets are for each critical business service and do you know what impact it would have if these assets were compromised in some way?
  2. Have you identified what the key threats to the information in these critical services are?
  3. Are you confident that your organisation’s most important information is being properly managed and is protected appropriately?

Knowing where to station your knights in shining armour

Information Risk Management (IRM) is the process of identifying, understanding and managing the risks to the information necessary to support the delivery of business services. The aim is to support managers in making informed decisions about risk, not stifling innovation with inappropriate and expensive security controls (no matter how heroic the knights wielding them are).

Working for the happy ever after

Tackling information risk needs strategic thinking and a broad view. IRM helps to identify the most important information assets and risks as a consequence of doing business. Measures to manage risks have to be proportionate and balanced to support business delivery. Effective IRM will:

  • Identify what the real risk are to your information;
  • Inform decision making about taking advantage of business opportunities;
  • Give customers and partners confidence that their information is protected;
  • Support critical business functions with a balanced level of protection;

A balanced IRM approach will help you to identify and manage the true risks to the information you hold AND deliver wider business benefits managing the risks to your own information. Looking at both will deliver cost efficiencies and strengthen your business – and you’ll be poised for a happy ever after.

Having nightmares?

So if you are having nightmares from the horror stories of unmanaged information risk here’s what you can do:

NB: The department of Business Information and Skills has launched the Cyber voucher Scheme, open to SMEs and sole traders. Organisation’s can claim up to £5,000 towards IRM measures, but hurry as the scheme closes on 24th July 2013. ( https://vouchers.innovateuk.org/cyber-security ).

So that’s the information risk management story. Still awake? How did I do? I’d love to know.

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.