|
RESISTANCE AND BENEFITS Why should I bother with doing risk assessment?! I already know what the risks are! Ive got enough to worry about already! It hasnt happened yet Sound familiar? Most resistance to risk assessment boils down to one of three conditions:
Management often is ignorant, except in the most superficial context, of the risk assessment process, the real nature of the risks, and the benefits of risk assessment. Risk assessment is not yet a broadly accepted element of the management toolkit, yet virtually every Big 6 consultancy and other major providers of information security services offer risk assessment in some form. Arrogance of the bottom line often drives an organizations attitude about information security, therefore about risk assessment. Damn the torpedoes, full speed ahead! becomes the marching order. If it cant readily be shown to improve profitability, dont do it. It is commendable that information technology has become so reliable that management could maintain that attitude for more than a few giddy seconds. Despite the fact that a well-secured information environment is also a well-controlled, efficient information environment, management often has difficulty seeing how sound information security can and does affect the bottom line in a positive way. This arrogance is often described euphemistically as an entrepreneurial culture. Finally, there is the fear of discovering that the environment is not as well managed as it could be and having to take responsibility for that; the fear of discovering, and having to address, risks not already known, and the fear of being shown to be ignorant or arrogant. While good information security may seem expensive, inadequate information security will be not just expensive, but sooner or later catastrophic. Risk assessment, though still a young science with a certain amount of craft involved, has proven itself to be very useful in helping management understand and cost-effectively address the risks to their information and IT environments. Finally, with regard to resistance, when risk assessment had to be done manually, or could be done only qualitatively, the fact that the process could take many months to execute and that it was not amenable to revision or what if assessment was a credible obstacle to its successful use. But that is no longer the case. Some specific benefits are described below:
|