Embarking on an Information Risk Management (IRM) strategy can be daunting. As you discover more about the potential threats â€” both inside and outside the organisation â€” you can easily feel overwhelmed.
At the same time, this knowledge often triggers a new fear â€” that the steps you need to take for your own protection could stifle your business and actually damage your prospects. One thing’s for sure â€” over-the-top levels of protection can impact on the efficiency of your business processes and cost you money.
But smart IRM is all about balance. It’s not about putting your head in the sand. But it’s not about strangling your business with draconian controls and cumbersome processes either. It is about making the right business decisions based on a real understanding of the risks.
That’s why it’s vital that IRM is driven by the business not the other way around! You can take a pragmatic approach â€” one that reduces risk without damaging the business.
“Only 10% (of risks) are likely to require the highest protection.”
Jay Heiser, Gartner vice president
And yet many businesses and organisations are still unsure how to implement an effective IRM strategy.
“Basic information risk management can stop up to 80% of the cyber attacks seen today, but experience suggests that few organisations get it right.”
IOD paper: Countering the Cyber Threat to Business, Spring 2013
The immediate dangers of not acting
Not implementing effective IRM is not just about leaving your business open to risk. It can actually hamper the way you do business. Because there are potential risks with some new technologies â€” such as cloud computing or BYOD, for instance â€” businesses often don’t embrace them for fear of the unknown risks! That results in missed opportunities whilst the competition takes full advantage. Not taking action can actually make you less commercially effective.
The benefits of smart IRM
There is a smarter way.
IRM is about facing the risks head on and making a strategic decision that balances protection with commercial need:
- Flexibility . IRM gives you the facts about risk as they affect your business and allows you to take your own path â€” one that is tailored and works for your business.
- Better decision-making . IRM helps you to identify your most important assets and the threats you face. It allows you to assess the impact on your business and to decide if you can live with the resultant risk. If you can’t, then you can take action to get the balance right.
- Putting the risk in context. Information risk is a living agenda item, not a “once and done” task. The context changes as your business grows and risks change too. If you put the risk into context you’ll get the level of security that’s right for your business at that time: not too much, not too little. It’s a lean, efficient approach.
- It’s more than a tick box exercise . Achieving an information security standard can be a very positive step but if it’s only a tick box exercise it is unlikely to offer any effective improvements in security posture and maturity. Standards can also give you a false sense of security â€” they are often a one-size-fits-all solution. IRM makes sure you are tackling the real issues on a continual basis.
Not all risks are the same
Removing 100% of information risk is impossible â€” not least because your weakest link can be your people. And the measures required wouldn’t do your business any favours either. The beauty of smart IRM, is that you can choose how to handle each risk:
Treated â€” action is taken to reduce the risk to a more acceptable level
Transferred â€” the risk is offset, for example by buying insurance
Terminated â€” the cause of the risk is removed completely
Tolerated â€” the risk is acceptable without any further treatment
The action you take depends entirely on your business objectives.
IRM enables you to focus and target investment. The fact is that, done well, smart IRM can actually bring new efficiencies that can save you money.
“All information security budget spend should be driven by quantified risk mitigation. Not by vendors, not by the press and not by technical staff. Follow these principles and you will not only reduce the impact of real world threats on the business, but may also reduce how much you spend on it.”
Mark Heathcote of IT firm Xceed.
It’s up to you and your board to lead the way â€” don’t let those with a different agenda devise your strategy. What are you waiting for?
Secure your information and strengthen your business
We have lots more valuable advice on Information Risk Management to help you balance risk with commercial opportunity.
- If you are a private sector firm, download The Board’s Guide to Information Risk
- If you are an HMG supplier, sign up for our new guide The Supplier’s Guide to IRM.
We’re here to help when you need it.
Got questions on IRM? I’d love to help. Call me, Dave James on 01452 881712 or email me at [email protected] .